Loading ...

Play interactive tourEdit tour

Analysis Report 2760000.netprovfw.bin

Overview

General Information

Sample Name:2760000.netprovfw.bin (renamed file extension from bin to exe)
Analysis ID:345555
MD5:90478bb3273d74a7a4bae530dee87174
SHA1:8fa8f069d4391a21346de65a5ee729ad6ef56a60
SHA256:f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4

Most interesting Screenshot:

Detection

Emotet
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Emotet
Machine Learning detection for sample
Checks if the current process is being debugged
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 2760000.netprovfw.exe (PID: 3636 cmdline: 'C:\Users\user\Desktop\2760000.netprovfw.exe' MD5: 90478BB3273D74A7A4BAE530DEE87174)
    • WerFault.exe (PID: 4852 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
2760000.netprovfw.exeJoeSecurity_EmotetYara detected EmotetJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.2760000.netprovfw.exe.2760000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          0.2.2760000.netprovfw.exe.2760000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2760000.netprovfw.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: 2760000.netprovfw.exeVirustotal: Detection: 50%Perma Link
            Source: 2760000.netprovfw.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: 2760000.netprovfw.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: 2760000.netprovfw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: 2760000.netprovfw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,0_2_02763A10
            Source: 2760000.netprovfw.exe, 00000000.00000002.215076314.000000000076A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 2760000.netprovfw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02761C700_2_02761C70
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_027675900_2_02767590
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_027681800_2_02768180
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: 2760000.netprovfw.exeStatic PE information: No import functions for PE file found
            Source: 2760000.netprovfw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: classification engineClassification label: mal68.troj.winEXE@2/4@0/0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmpJump to behavior
            Source: 2760000.netprovfw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: 2760000.netprovfw.exeVirustotal: Detection: 50%
            Source: 2760000.netprovfw.exeReversingLabs: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\2760000.netprovfw.exe 'C:\Users\user\Desktop\2760000.netprovfw.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
            Source: 2760000.netprovfw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Source: 2760000.netprovfw.exeStatic PE information: real checksum: 0x59bfd should be: 0x6199f
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D70 push ecx; mov dword ptr [esp], 00008067h0_2_02765D71
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765F70 push ecx; mov dword ptr [esp], 000084ADh0_2_02765F71
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765E70 push ecx; mov dword ptr [esp], 00008D73h0_2_02765E71
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765E40 push ecx; mov dword ptr [esp], 0000AEA2h0_2_02765E41
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D30 push ecx; mov dword ptr [esp], 00002C7Ch0_2_02765D31
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765F20 push ecx; mov dword ptr [esp], 0000E2ADh0_2_02765F21
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765D00 push ecx; mov dword ptr [esp], 000021B4h0_2_02765D01
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765DE0 push ecx; mov dword ptr [esp], 000025AAh0_2_02765DE1
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765FB0 push ecx; mov dword ptr [esp], 0000460Eh0_2_02765FB1
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765EA0 push ecx; mov dword ptr [esp], 00007473h0_2_02765EA1
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02765DA0 push ecx; mov dword ptr [esp], 000036B8h0_2_02765DA1
            Source: initial sampleStatic PE information: section name: .text entropy: 6.84651766717
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763A10 _snwprintf,FindNextFileW,_snwprintf,FindFirstFileW,0_2_02763A10
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02763F70 mov eax, dword ptr fs:[00000030h]0_2_02763F70
            Source: C:\Users\user\Desktop\2760000.netprovfw.exeCode function: 0_2_02764E10 mov eax, dword ptr fs:[00000030h]0_2_02764E10

            Stealing of Sensitive Information:

            barindex
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 2760000.netprovfw.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.2760000.netprovfw.exe.2760000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            2760000.netprovfw.exe50%VirustotalBrowse
            2760000.netprovfw.exe79%ReversingLabsWin32.Trojan.Convagent
            2760000.netprovfw.exe100%AviraTR/Crypt.XPACK.Gen
            2760000.netprovfw.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.1.2760000.netprovfw.exe.2760000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.0.2760000.netprovfw.exe.2760000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.2.2760000.netprovfw.exe.2760000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:345555
            Start date:28.01.2021
            Start time:16:27:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 2m 26s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:2760000.netprovfw.bin (renamed file extension from bin to exe)
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal68.troj.winEXE@2/4@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 100% (good quality ratio 99.3%)
            • Quality average: 71.8%
            • Quality standard deviation: 20.8%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Stop behavior analysis, all processes terminated
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): WerFault.exe
            • Excluded IPs from analysis (whitelisted): 52.147.198.201, 52.255.188.83
            • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:27:54API Interceptor1x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_2760000.netprovf_50482980db6f70d047bdd5f2b763ef22b1cfde7_9c33c211_129efdf4\Report.wer
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):10994
            Entropy (8bit):3.7614659673061346
            Encrypted:false
            SSDEEP:96:zAaFnqcKJ1hskDRf2pXIQcQvc6QcEDMcw3Db+HbHg/uAnQ0DFV6Fq/TOiNkoJT4V:caF3VHBUZMXYjIa/u7scS274ItkS+
            MD5:720CE52891513A7CE9B86362267F0DA5
            SHA1:DEBB950A22077D504E7615EAF440772D1903A500
            SHA-256:694BB24B19E45591A31DD2B4F2744B883E902E1A59692CD4735E4DE3AC58CCC8
            SHA-512:F211EAD3CFDE2F98CCB5ADBBCCD0D5C27D35201B0AE5BB4A70E0B5E23BAD30010BF26DA94F41497B1F938CD5F45D1400A2368A8E28D4FA08CF3C9C47317EF8CC
            Malicious:false
            Reputation:low
            Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.3.5.3.6.7.2.0.5.9.4.2.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.3.5.3.6.7.2.7.6.2.5.4.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.e.9.d.f.1.3.-.b.a.c.d.-.4.a.a.b.-.8.7.f.5.-.a.3.7.1.1.d.b.5.0.0.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.1.3.7.b.7.7.-.b.d.f.0.-.4.d.d.7.-.8.b.3.6.-.6.2.2.3.0.1.0.9.7.5.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.7.6.0.0.0.0...n.e.t.p.r.o.v.f.w...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.3.4.-.0.0.0.1.-.0.0.1.7.-.e.c.3.9.-.3.2.9.3.d.5.f.5.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.0.f.c.c.3.2.5.5.9.8.9.5.0.a.9.b.b.8.c.a.5.b.6.5.8.9.1.d.6.8.6.0.0.0.0.f.f.f.f.!.0.0.0.0.8.f.a.8.f.0.6.9.d.4.3.9.1.a.2.1.3.4.6.d.e.6.5.a.5.e.e.7.2.9.a.d.6.e.f.5.6.a.6.0.!.2.7.6.0.0.0.0...n.e.t.p.r.o.v.
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C6.tmp.dmp
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Jan 29 00:27:52 2021, 0x1205a4 type
            Category:dropped
            Size (bytes):41726
            Entropy (8bit):2.2476995034013756
            Encrypted:false
            SSDEEP:192:A1X2ZQnnUJO7htz2SKwrdcMhMDyTROcb5Kszgeb:W/gSKaS1DyTRRblvb
            MD5:87A7ABC2F6BEAB6144BC5B26B23AE74A
            SHA1:90BC5F6AD1F9D5474FC3AB9F696FC6B37F65B421
            SHA-256:A14D136A44ECE61B85B934F9A0F7CD91704847AEF659196F536710F0F5F478BB
            SHA-512:6330C9B8B186F8FA0656C7FBF1AEF94BE11A519E6FE7D3511D7C7EF45D15B4288880564873F02F3B479541283DEC1F549255C73D6A4A90E60D6BDB38A4940C93
            Malicious:false
            Reputation:low
            Preview: MDMP....... ........V.`...................U...........B......T.......GenuineIntelW...........T.......4....V.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF78C.tmp.WERInternalMetadata.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
            Category:dropped
            Size (bytes):8316
            Entropy (8bit):3.694070001122533
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNi526b6YS3SUnYsgmfJfGSwCprR889b+sWsfG4Km:RrlsNio6b6YiSUnYsgmfJ+SJp+s1fN7
            MD5:D984D43F2B351442B894831AED8A541A
            SHA1:D17A0A15F90E05B8305E1593EB236CDE91B5CE5A
            SHA-256:10AB7323E241217ECA9B43DAAC0C0AEDA00A17B42CEEEB9253DD45B505746688
            SHA-512:55FEB2D609DF9EBD3ECC5960280B666412F455E6E1565FBC01D03C2FC8F183DD1439C5402685C0C2CE95ED3CB6B6DF3ED448708A6AABB783C06899CA429F17BE
            Malicious:false
            Reputation:low
            Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.6.3.6.<./.P.i.d.>.......
            C:\ProgramData\Microsoft\Windows\WER\Temp\WERF81A.tmp.xml
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4605
            Entropy (8bit):4.454386786497803
            Encrypted:false
            SSDEEP:48:cvIwSD8zsxlJgtWI9EKWSC8Bq8fm8M4JzXYlFs8+q8I6ROC6vG6d:uITf53rSN9JR8JVvG6d
            MD5:5EF659495C5F15CBFFB7E779342ECDF1
            SHA1:9E271CDB285588F5EE1A8F0D125EA0E6EB149E03
            SHA-256:EC7E8E6E007E9BA87CF04894BD00BB64B1BAE5E8D8851B82B054BC0B12C08873
            SHA-512:9C386FE1DC6B6B8C5F7F62DAD5A39AF7AB911361F65CBD6880CA541B2FFEA2EE470E466251C44376F64946B00E5F7A3418CB6B69157006E59D3BF51B49EF8D99
            Malicious:false
            Reputation:low
            Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="837218" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.529033895906113
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:2760000.netprovfw.exe
            File size:350208
            MD5:90478bb3273d74a7a4bae530dee87174
            SHA1:8fa8f069d4391a21346de65a5ee729ad6ef56a60
            SHA256:f865736f27acaaca93c530f82295fdddf9b97fc54f37732815e89ad660eb69e4
            SHA512:4df47075f24abd5882f27e22d39c6a73b1586ddd1757539387a885e3f112e1e00b4b97b4f68d91ef5662c7a3973ab350fe5e1e68d36943948ffa255315f51961
            SSDEEP:6144:Lt0Ju8YGNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqOY:x0J5nKXzJ4pdd3klnnWosPhnzqL
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...".J.....R.p.....R.K.....Rich/...................PE..L...M.._.............................\............v........

            File Icon

            Icon Hash:c0d9f1f399a4c2c1

            Static PE Info

            General

            Entrypoint:0x2765cd0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x2760000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NO_ISOLATION, NX_COMPAT
            Time Stamp:0x5F90A34D [Wed Oct 21 21:08:29 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:

            Entrypoint Preview

            Instruction
            call 00007F0628F9DD70h
            mov eax, dword ptr [0276E2C4h]
            test eax, eax
            jne 00007F0628F9D50Dh
            mov ecx, A2CE093Fh
            call 00007F0628F9B77Dh
            mov edx, B9B17DC0h
            mov ecx, eax
            call 00007F0628F9B6D1h
            mov dword ptr [0276E2C4h], eax
            push 00000000h
            call eax
            retn 0010h
            push ecx
            mov dword ptr [esp], 000021B4h
            add dword ptr [esp], 00005AC3h
            shl dword ptr [esp], 04h
            mov eax, dword ptr [esp]
            shl eax, 06h
            mov dword ptr [esp], eax
            or dword ptr [esp], CC87922Ah
            xor dword ptr [esp], CDF7DF6Ah
            mov eax, dword ptr [esp]
            pop ecx
            ret
            int3
            push ecx
            mov dword ptr [esp], 00002C7Ch
            imul eax, dword ptr [esp], 2Dh
            mov dword ptr [esp], eax
            shl dword ptr [esp], 0Ch
            xor dword ptr [esp], 9184714Ch
            shl dword ptr [esp], 0Fh
            or dword ptr [esp], 011C88C3h
            xor dword ptr [esp], 59BE8863h
            mov eax, dword ptr [esp]
            pop ecx
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push ecx
            mov dword ptr [esp], 00008067h
            xor dword ptr [esp], 30B3246Ch
            add dword ptr [esp], 000090BEh
            xor dword ptr [esp], 30B43B69h
            mov eax, dword ptr [esp]
            pop ecx
            ret
            int3
            int3
            int3
            int3
            int3

            Rich Headers

            Programming Language:
            • [ASM] VS2013 build 21005
            • [LNK] VS2013 UPD4 build 31101

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x49800.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf0000x74c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000xb0000xa600False0.544686558735data6.84651766717IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0xc0000x10000x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xd0000x20000xc00False0.851888020833data7.19591538106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .reloc0xf0000x10000x800False0.01123046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            .rsrc0x100000x4a0000x49800False0.348051525298data5.21306515691IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x102fc0x668data
            RT_ICON0x109640x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2296940798, next used block 15239304
            RT_ICON0x10c4c0x1e8data
            RT_ICON0x10e340x128GLS_BINARY_LSB_FIRST
            RT_ICON0x10f5c0xea8data
            RT_ICON0x11e040x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14019316, next used block 14479096
            RT_ICON0x126ac0x6c8data
            RT_ICON0x12d740x568GLS_BINARY_LSB_FIRST
            RT_ICON0x132dc0x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
            RT_ICON0x553040x25a8data
            RT_ICON0x578ac0x10a8data
            RT_ICON0x589540x988data
            RT_ICON0x592dc0x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x597440xbcdata

            Network Behavior

            Network Port Distribution

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jan 28, 2021 16:27:44.950273991 CET6349253192.168.2.38.8.8.8
            Jan 28, 2021 16:27:45.001044035 CET53634928.8.8.8192.168.2.3
            Jan 28, 2021 16:27:45.804285049 CET6083153192.168.2.38.8.8.8
            Jan 28, 2021 16:27:45.852279902 CET53608318.8.8.8192.168.2.3
            Jan 28, 2021 16:27:46.676866055 CET6010053192.168.2.38.8.8.8
            Jan 28, 2021 16:27:46.728919983 CET53601008.8.8.8192.168.2.3
            Jan 28, 2021 16:27:47.529217005 CET5319553192.168.2.38.8.8.8
            Jan 28, 2021 16:27:47.577835083 CET53531958.8.8.8192.168.2.3
            Jan 28, 2021 16:27:48.344050884 CET5014153192.168.2.38.8.8.8
            Jan 28, 2021 16:27:48.394737959 CET53501418.8.8.8192.168.2.3
            Jan 28, 2021 16:27:49.204808950 CET5302353192.168.2.38.8.8.8
            Jan 28, 2021 16:27:49.261265993 CET53530238.8.8.8192.168.2.3
            Jan 28, 2021 16:27:50.005877018 CET4956353192.168.2.38.8.8.8
            Jan 28, 2021 16:27:50.057293892 CET53495638.8.8.8192.168.2.3
            Jan 28, 2021 16:27:50.848668098 CET5135253192.168.2.38.8.8.8
            Jan 28, 2021 16:27:50.896701097 CET53513528.8.8.8192.168.2.3
            Jan 28, 2021 16:27:51.791634083 CET5934953192.168.2.38.8.8.8
            Jan 28, 2021 16:27:51.844265938 CET53593498.8.8.8192.168.2.3
            Jan 28, 2021 16:27:52.679951906 CET5708453192.168.2.38.8.8.8
            Jan 28, 2021 16:27:52.727832079 CET53570848.8.8.8192.168.2.3
            Jan 28, 2021 16:27:52.961210966 CET5882353192.168.2.38.8.8.8
            Jan 28, 2021 16:27:53.011951923 CET53588238.8.8.8192.168.2.3

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Start time:16:27:50
            Start date:28/01/2021
            Path:C:\Users\user\Desktop\2760000.netprovfw.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\2760000.netprovfw.exe'
            Imagebase:0x2760000
            File size:350208 bytes
            MD5 hash:90478BB3273D74A7A4BAE530DEE87174
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.206372217.0000000002761000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:low

            General

            Start time:16:27:51
            Start date:28/01/2021
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 640
            Imagebase:0x1210000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            Code Analysis

            Reset < >

              Execution Graph

              Execution Coverage:2.7%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:5.4%
              Total number of Nodes:971
              Total number of Limit Nodes:4

              Graph

              execution_graph 5330 27631f0 5332 276320a 5330->5332 5331 27633d4 5333 27633a4 5331->5333 5340 2763f70 GetPEB 5331->5340 5332->5331 5332->5333 5337 2763f70 GetPEB 5332->5337 5338 276337b RtlAllocateHeap 5332->5338 5339 2763ed0 GetPEB 5332->5339 5337->5332 5338->5332 5338->5333 5339->5332 5341 27633e8 5340->5341 5342 2763ed0 5341->5342 5343 2763f2c 5342->5343 5344 2763f0c 5342->5344 5343->5333 5344->5343 5345 2763f70 GetPEB 5344->5345 5348 2764115 5344->5348 5346 2764109 5345->5346 5347 2763ed0 GetPEB 5346->5347 5347->5348 5349 2763f70 GetPEB 5348->5349 5355 2764146 5348->5355 5351 276413a 5349->5351 5350 2763ed0 GetPEB 5352 2764177 5350->5352 5353 2763ed0 GetPEB 5351->5353 5352->5333 5353->5355 5354 2764158 5354->5333 5355->5350 5355->5354 6216 2769f38 6230 2769f29 6216->6230 6217 276a2fb 6222 276a31a 6217->6222 6224 2763f70 GetPEB 6217->6224 6218 276a2c8 6219 276b270 GetPEB 6219->6230 6220 27635e0 GetPEB 6220->6230 6221 2764b90 GetPEB 6221->6230 6231 2763f70 GetPEB 6222->6231 6236 276a342 6222->6236 6223 276aa20 GetPEB 6223->6230 6227 276a30e 6224->6227 6225 2764240 GetPEB 6225->6230 6226 27642e0 GetPEB 6226->6230 6229 2763ed0 GetPEB 6227->6229 6228 2761150 GetPEB 6228->6230 6229->6222 6230->6217 6230->6218 6230->6219 6230->6220 6230->6221 6230->6223 6230->6225 6230->6226 6230->6228 6233 2763ed0 GetPEB 6230->6233 6234 2763f70 GetPEB 6230->6234 6232 276a336 6231->6232 6235 2763ed0 GetPEB 6232->6235 6233->6230 6234->6230 6235->6236 6237 2761eb8 6243 2761ec0 6237->6243 6238 2761fbf 6239 2761fa4 6238->6239 6240 2763f70 GetPEB 6238->6240 6241 2761fe0 6240->6241 6242 2763ed0 GetPEB 6241->6242 6242->6239 6243->6238 6243->6239 6244 2763ed0 GetPEB 6243->6244 6245 2763f70 GetPEB 6243->6245 6244->6243 6245->6243 6208 2766df9 6215 2766e00 6208->6215 6209 27635e0 GetPEB 6209->6215 6210 2766f91 6211 2766f1e LoadLibraryW 6211->6215 6212 2766d50 GetPEB LoadLibraryW 6212->6215 6213 2763ed0 GetPEB 6213->6215 6214 2763f70 GetPEB 6214->6215 6215->6209 6215->6210 6215->6211 6215->6212 6215->6213 6215->6214 6255 276ae60 6256 276ae74 6255->6256 6257 2765ff0 GetPEB 6256->6257 6268 276aefa 6256->6268 6258 276ae86 6257->6258 6259 2763430 GetPEB 6258->6259 6260 276ae9c 6259->6260 6261 276aed2 6260->6261 6262 2763f70 GetPEB 6260->6262 6265 2763f70 GetPEB 6261->6265 6261->6268 6263 276aec6 6262->6263 6264 2763ed0 GetPEB 6263->6264 6264->6261 6266 276aeee 6265->6266 6267 2763ed0 GetPEB 6266->6267 6267->6268 6287 2767ba0 6295 2767bb0 6287->6295 6288 2767cdc 6290 2763a10 3 API calls 6288->6290 6289 2767cd3 6292 2767cef 6290->6292 6291 27635e0 GetPEB 6291->6295 6293 2763ed0 GetPEB 6293->6295 6294 2763f70 GetPEB 6294->6295 6295->6288 6295->6289 6295->6291 6295->6293 6295->6294 6296 2761928 6317 276191f 6296->6317 6297 2761bce 6298 27636e0 GetPEB 6297->6298 6299 2761bd8 6298->6299 6302 2761bf9 6299->6302 6303 2763f70 GetPEB 6299->6303 6300 2761bac 6301 2763f70 GetPEB 6301->6317 6308 2761c2b 6302->6308 6309 2763f70 GetPEB 6302->6309 6305 2761bed 6303->6305 6304 2763ed0 GetPEB 6304->6317 6307 2763ed0 GetPEB 6305->6307 6306 2764e50 GetPEB 6306->6317 6307->6302 6311 2761c53 6308->6311 6313 2763f70 GetPEB 6308->6313 6310 2761c1f 6309->6310 6312 2763ed0 GetPEB 6310->6312 6312->6308 6314 2761c47 6313->6314 6316 2763ed0 GetPEB 6314->6316 6315 27636e0 GetPEB 6315->6317 6316->6311 6317->6297 6317->6300 6317->6301 6317->6304 6317->6306 6317->6315 6328 27661a8 6336 27661a2 6328->6336 6329 2765570 GetPEB 6329->6336 6330 276642e 6331 2766392 6332 2764ca0 GetPEB 6332->6336 6333 2763f70 GetPEB 6333->6336 6334 27642e0 GetPEB 6334->6336 6335 2763f70 GetPEB 6338 27663c5 6335->6338 6336->6329 6336->6331 6336->6332 6336->6333 6336->6334 6337 2763ed0 GetPEB 6336->6337 6336->6338 6337->6336 6338->6330 6338->6335 6339 2763ed0 GetPEB 6338->6339 6339->6338 5356 2765cd0 5363 2766550 5356->5363 5358 2765cd5 5359 2765cf4 5358->5359 5360 2763f70 GetPEB 5358->5360 5361 2765ce8 5360->5361 5362 2763ed0 GetPEB 5361->5362 5362->5359 5405 276656e 5363->5405 5365 2766d37 5700 276b030 5365->5700 5368 2766b96 5368->5358 5370 2766ca6 5659 2768af0 5370->5659 5371 2766d2a 5682 2768500 5371->5682 5379 2764240 GetPEB 5379->5405 5380 2766d2f 5380->5358 5385 2766938 5385->5405 5523 2766df0 5385->5523 5386 2766cab 5386->5358 5400 2763f70 GetPEB 5400->5405 5402 2763ed0 GetPEB 5402->5405 5403 2764180 GetPEB 5403->5405 5405->5365 5405->5368 5405->5370 5405->5371 5405->5379 5405->5385 5405->5400 5405->5402 5405->5403 5406 27695e0 5405->5406 5419 2768c20 5405->5419 5428 2768730 5405->5428 5440 2764790 5405->5440 5450 27612b0 5405->5450 5473 2767df0 5405->5473 5483 2766fb0 5405->5483 5493 276ad30 5405->5493 5498 2769270 5405->5498 5505 2769cd0 5405->5505 5514 27693b0 5405->5514 5531 2765ff0 5405->5531 5552 2768180 5405->5552 5557 27684c0 5405->5557 5563 2768970 5405->5563 5573 276b180 5405->5573 5580 2769e10 5405->5580 5586 2763430 5405->5586 5596 2761840 5405->5596 5611 2763580 5405->5611 5621 27653a0 5405->5621 5626 27670f0 5405->5626 5632 276af20 5405->5632 5637 2766180 5405->5637 5649 2769010 5405->5649 5668 2768df0 5405->5668 5417 2769600 5406->5417 5408 27698b6 5409 27698d5 5408->5409 5410 2763f70 GetPEB 5408->5410 5715 2763190 5409->5715 5412 27698c9 5410->5412 5411 2769658 OpenSCManagerW 5411->5417 5414 2763ed0 GetPEB 5412->5414 5413 2763f70 GetPEB 5413->5417 5414->5409 5416 276976c 5416->5405 5417->5408 5417->5411 5417->5413 5417->5416 5418 2763ed0 GetPEB 5417->5418 5705 27679d0 5417->5705 5418->5417 5424 2768c40 5419->5424 5420 2768db7 5421 2763f70 GetPEB 5420->5421 5423 2768d6a 5420->5423 5422 2768dca 5421->5422 5427 2763ed0 GetPEB 5422->5427 5423->5405 5424->5420 5424->5423 5425 2763ed0 GetPEB 5424->5425 5426 2763f70 GetPEB 5424->5426 5425->5424 5426->5424 5427->5423 5437 2768751 5428->5437 5430 276893a 5431 2763f70 GetPEB 5430->5431 5432 27688fc 5430->5432 5433 276894d 5431->5433 5432->5405 5435 2763ed0 GetPEB 5433->5435 5435->5432 5436 2763f70 GetPEB 5436->5437 5437->5430 5437->5432 5437->5436 5438 2763ed0 GetPEB 5437->5438 5439 2763580 GetPEB 5437->5439 5737 27635e0 5437->5737 5747 2765060 5437->5747 5438->5437 5439->5437 5441 27647a5 5440->5441 5448 27647bb 5440->5448 5442 2763f70 GetPEB 5441->5442 5444 27647af 5442->5444 5443 2763f70 GetPEB 5445 27647d7 5443->5445 5447 2763ed0 GetPEB 5444->5447 5449 2763ed0 GetPEB 5445->5449 5446 27647e3 5446->5405 5447->5448 5448->5443 5448->5446 5449->5446 5471 27612e1 5450->5471 5453 27635e0 GetPEB 5453->5471 5454 2761790 5454->5405 5455 27642e0 GetPEB 5455->5471 5456 2763ed0 GetPEB 5456->5471 5457 2761822 5458 2764240 GetPEB 5457->5458 5464 2761829 5458->5464 5461 27616b6 _snwprintf 5468 2763580 GetPEB 5461->5468 5462 2763f70 GetPEB 5462->5471 5464->5405 5468->5471 5470 2763580 GetPEB 5470->5471 5471->5453 5471->5454 5471->5455 5471->5456 5471->5457 5471->5461 5471->5462 5471->5464 5471->5470 5472 2764240 GetPEB 5471->5472 5782 2764180 5471->5782 5788 2761ea0 5471->5788 5797 2761900 5471->5797 5819 2762330 5471->5819 5832 2762010 5471->5832 5845 2764ec0 5471->5845 5850 2761c70 5471->5850 5866 2765bf0 5471->5866 5885 2762cf0 5471->5885 5472->5471 5482 2767ed8 5473->5482 5474 2768147 5475 2763f70 GetPEB 5474->5475 5478 276801a 5474->5478 5477 276815a 5475->5477 5476 27635e0 GetPEB 5476->5482 5479 2763ed0 GetPEB 5477->5479 5478->5405 5479->5478 5480 2763f70 GetPEB 5480->5482 5481 2763ed0 GetPEB 5481->5482 5482->5474 5482->5476 5482->5478 5482->5480 5482->5481 5484 2766fb9 5483->5484 5487 2766fcf 5483->5487 5485 2763f70 GetPEB 5484->5485 5486 2766fc3 5485->5486 5489 2763ed0 GetPEB 5486->5489 5488 2766ff8 5487->5488 5490 2763f70 GetPEB 5487->5490 5488->5405 5489->5487 5491 2766fec 5490->5491 5492 2763ed0 GetPEB 5491->5492 5492->5488 5494 276ad48 5493->5494 5496 276ae51 5493->5496 5495 2763ed0 GetPEB 5494->5495 5494->5496 5497 2763f70 GetPEB 5494->5497 5495->5494 5496->5405 5497->5494 5503 2769290 5498->5503 5500 2769333 5500->5405 5501 2763f70 GetPEB 5501->5503 5503->5500 5503->5501 5504 2763ed0 GetPEB 5503->5504 5931 27646e0 5503->5931 5946 2764ca0 5503->5946 5504->5503 5513 2769ce0 5505->5513 5506 2769dbf 5508 2763f70 GetPEB 5506->5508 5509 2769d75 5506->5509 5507 2763f70 GetPEB 5507->5513 5510 2769dd2 5508->5510 5509->5405 5512 2763ed0 GetPEB 5510->5512 5511 2763ed0 GetPEB 5511->5513 5512->5509 5513->5506 5513->5507 5513->5509 5513->5511 5515 27693c0 5514->5515 5516 27693e6 5515->5516 5517 27695b1 5515->5517 5520 27635e0 GetPEB 5515->5520 5521 2763f70 GetPEB 5515->5521 5522 2763ed0 GetPEB 5515->5522 5516->5405 5955 27638a0 5517->5955 5520->5515 5521->5515 5522->5515 5528 2766e00 5523->5528 5524 27635e0 GetPEB 5524->5528 5525 2766f91 5525->5385 5526 2766f1e LoadLibraryW 5526->5528 5527 2766d50 GetPEB LoadLibraryW 5527->5528 5528->5524 5528->5525 5528->5526 5528->5527 5529 2763f70 GetPEB 5528->5529 5530 2763ed0 GetPEB 5528->5530 5529->5528 5530->5528 5981 27654c0 5531->5981 5533 27660d1 5535 27636e0 GetPEB 5533->5535 5534 27660c9 5534->5405 5536 27660dc 5535->5536 5538 27660fd 5536->5538 5540 2763f70 GetPEB 5536->5540 5537 2763f70 GetPEB 5539 2766004 5537->5539 5544 2763f70 GetPEB 5538->5544 5547 2766137 5538->5547 5539->5533 5539->5534 5539->5537 5541 2763ed0 GetPEB 5539->5541 5542 27660f1 5540->5542 5541->5539 5543 2763ed0 GetPEB 5542->5543 5543->5538 5545 276612b 5544->5545 5546 2763ed0 GetPEB 5545->5546 5546->5547 5548 2763f70 GetPEB 5547->5548 5549 276615f 5547->5549 5550 2766153 5548->5550 5549->5405 5551 2763ed0 GetPEB 5550->5551 5551->5549 5556 2768290 5552->5556 5553 2768411 5553->5405 5554 2763f70 GetPEB 5554->5556 5555 2763ed0 GetPEB 5555->5556 5556->5553 5556->5554 5556->5555 5558 27684df 5557->5558 5559 27684c9 5557->5559 5558->5405 5560 2763f70 GetPEB 5559->5560 5561 27684d3 5560->5561 5562 2763ed0 GetPEB 5561->5562 5562->5558 5571 2768984 5563->5571 5564 2768ad8 5991 27637d0 5564->5991 5565 27635e0 GetPEB 5565->5571 5566 27638a0 GetPEB 5566->5571 5568 2768a1a 5568->5405 5570 2763f70 GetPEB 5570->5571 5571->5564 5571->5565 5571->5566 5571->5568 5571->5570 5572 2763ed0 GetPEB 5571->5572 5572->5571 5575 276b190 5573->5575 5574 276b20a 5574->5405 5575->5574 6010 276a890 5575->6010 6025 2769f10 5575->6025 6046 276a380 5575->6046 6062 276a540 5575->6062 5581 2769e1c 5580->5581 5585 2769e32 5580->5585 5582 2763f70 GetPEB 5581->5582 5583 2769e26 5582->5583 5584 2763ed0 GetPEB 5583->5584 5584->5585 5585->5405 5587 276346a 5586->5587 5588 276348f 5587->5588 5589 2763f70 GetPEB 5587->5589 5592 2763f70 GetPEB 5588->5592 5595 27634b7 5588->5595 5590 2763483 5589->5590 5591 2763ed0 GetPEB 5590->5591 5591->5588 5593 27634ab 5592->5593 5594 2763ed0 GetPEB 5593->5594 5594->5595 5595->5405 5597 2761862 5596->5597 5598 276184c 5596->5598 5602 2763f70 GetPEB 5597->5602 5604 276188b 5597->5604 5599 2763f70 GetPEB 5598->5599 5600 2761856 5599->5600 5601 2763ed0 GetPEB 5600->5601 5601->5597 5603 276187f 5602->5603 5605 2763ed0 GetPEB 5603->5605 5606 27618ee 5604->5606 6170 2762730 5604->6170 5605->5604 5606->5405 5608 27618d8 5609 27618dc 5608->5609 5610 2764240 GetPEB 5608->5610 5609->5405 5610->5606 5612 276358d 5611->5612 5615 27635a3 5611->5615 5613 2763f70 GetPEB 5612->5613 5614 2763597 5613->5614 5616 2763ed0 GetPEB 5614->5616 5617 2763f70 GetPEB 5615->5617 5619 27635cb 5615->5619 5616->5615 5618 27635bf 5617->5618 5620 2763ed0 GetPEB 5618->5620 5619->5405 5620->5619 5624 27653b0 5621->5624 5622 276545b 5622->5405 5623 2763f70 GetPEB 5623->5624 5624->5622 5624->5623 5625 2763ed0 GetPEB 5624->5625 5625->5624 5630 2767104 5626->5630 5627 2763f70 GetPEB 5627->5630 5628 27672ee 5628->5405 5629 27642e0 GetPEB 5629->5630 5630->5627 5630->5628 5630->5629 5631 2763ed0 GetPEB 5630->5631 5631->5630 5636 276af30 5632->5636 5633 276afff 5633->5405 5634 2763f70 GetPEB 5634->5636 5635 2763ed0 GetPEB 5635->5636 5636->5633 5636->5634 5636->5635 5639 27661a2 5637->5639 5640 27663c5 5639->5640 5642 2766392 5639->5642 5643 2764ca0 GetPEB 5639->5643 5644 2763ed0 GetPEB 5639->5644 5645 2763f70 GetPEB 5639->5645 5646 27642e0 GetPEB 5639->5646 6179 2765570 5639->6179 5641 276642e 5640->5641 5647 2763f70 GetPEB 5640->5647 5648 2763ed0 GetPEB 5640->5648 5641->5405 5642->5405 5643->5639 5644->5639 5645->5639 5646->5639 5647->5640 5648->5640 5658 2769030 5649->5658 5650 276923c 5652 2763f70 GetPEB 5650->5652 5653 27691fe 5650->5653 5651 2763f70 GetPEB 5651->5658 5654 276924f 5652->5654 5653->5405 5656 2763ed0 GetPEB 5654->5656 5656->5653 5657 2763ed0 GetPEB 5657->5658 5658->5650 5658->5651 5658->5653 5658->5657 6188 2761000 5658->6188 5667 2768b00 5659->5667 5660 2768be7 5662 2764b90 GetPEB 5660->5662 5661 27635e0 GetPEB 5661->5667 5664 2768bf7 5662->5664 5663 2768b24 5663->5386 5664->5386 5665 2763ed0 GetPEB 5665->5667 5666 2763f70 GetPEB 5666->5667 5667->5660 5667->5661 5667->5663 5667->5665 5667->5666 5681 2768e10 5668->5681 5669 2768f31 5669->5405 5670 2763f70 GetPEB 5670->5681 5671 2768f8a 5672 2768fc5 5671->5672 5674 2763f70 GetPEB 5671->5674 5677 2768fed 5672->5677 5678 2763f70 GetPEB 5672->5678 5673 2763ed0 GetPEB 5673->5681 5675 2768fb9 5674->5675 5676 2763ed0 GetPEB 5675->5676 5676->5672 5677->5405 5679 2768fe1 5678->5679 5680 2763ed0 GetPEB 5679->5680 5680->5677 5681->5669 5681->5670 5681->5671 5681->5673 5699 2768513 5682->5699 5683 2768c20 GetPEB 5683->5699 5685 2768639 5685->5380 5686 27635e0 GetPEB 5686->5699 5687 27686c0 5688 27686df 5687->5688 5689 2763f70 GetPEB 5687->5689 5692 2768712 5688->5692 5694 2763f70 GetPEB 5688->5694 5690 27686d3 5689->5690 5693 2763ed0 GetPEB 5690->5693 5691 2763f70 GetPEB 5691->5699 5692->5380 5693->5688 5697 2768706 5694->5697 5695 27638a0 GetPEB 5695->5699 5696 2763ed0 GetPEB 5696->5699 5698 2763ed0 GetPEB 5697->5698 5698->5692 5699->5683 5699->5685 5699->5686 5699->5687 5699->5691 5699->5695 5699->5696 6197 27673e0 5699->6197 5701 276b03c 5700->5701 5702 2763f70 GetPEB 5701->5702 5703 276b172 5701->5703 5704 2763ed0 GetPEB 5701->5704 5702->5701 5703->5368 5704->5701 5712 27679f0 5705->5712 5706 2767b49 5707 2767b69 5706->5707 5709 2763f70 GetPEB 5706->5709 5707->5417 5708 2767b03 5708->5417 5711 2767b5d 5709->5711 5710 2763f70 GetPEB 5710->5712 5713 2763ed0 GetPEB 5711->5713 5712->5706 5712->5708 5712->5710 5714 2763ed0 GetPEB 5712->5714 5713->5707 5714->5712 5716 27631a0 5715->5716 5718 27631c9 5716->5718 5720 2763a10 5716->5720 5718->5416 5719 27631e0 5719->5416 5732 2763a30 5720->5732 5721 2763c8c 5724 2763cab 5721->5724 5728 2763f70 GetPEB 5721->5728 5722 2763c6c FindFirstFileW 5723 2763cb3 5722->5723 5722->5732 5723->5719 5736 2763a10 GetPEB 5724->5736 5725 2763b65 FindNextFileW 5725->5732 5726 2763c3d 5726->5719 5727 2763f70 GetPEB 5727->5732 5729 2763c9f 5728->5729 5730 2763ed0 GetPEB 5729->5730 5730->5724 5731 27635e0 GetPEB 5731->5732 5732->5721 5732->5722 5732->5725 5732->5726 5732->5727 5732->5731 5733 2763ed0 GetPEB 5732->5733 5734 2763a10 GetPEB 5732->5734 5735 2763580 GetPEB 5732->5735 5733->5732 5734->5732 5735->5732 5736->5723 5738 2763603 5737->5738 5739 2763628 5738->5739 5740 2763f70 GetPEB 5738->5740 5743 2763f70 GetPEB 5739->5743 5746 2763650 5739->5746 5741 276361c 5740->5741 5742 2763ed0 GetPEB 5741->5742 5742->5739 5744 2763644 5743->5744 5745 2763ed0 GetPEB 5744->5745 5745->5746 5746->5437 5759 276507c 5747->5759 5748 276533c 5750 276535b 5748->5750 5751 2763f70 GetPEB 5748->5751 5749 2765383 5749->5437 5750->5749 5757 2763f70 GetPEB 5750->5757 5754 276534f 5751->5754 5755 2763ed0 GetPEB 5754->5755 5755->5750 5756 2763f70 GetPEB 5756->5759 5758 2765377 5757->5758 5761 2763ed0 GetPEB 5758->5761 5759->5748 5759->5749 5759->5756 5760 2763ed0 GetPEB 5759->5760 5762 27642e0 5759->5762 5772 2764240 5759->5772 5760->5759 5761->5749 5763 27642ed 5762->5763 5764 2764303 5762->5764 5765 2763f70 GetPEB 5763->5765 5768 2763f70 GetPEB 5764->5768 5771 276432b 5764->5771 5766 27642f7 5765->5766 5767 2763ed0 GetPEB 5766->5767 5767->5764 5769 276431f 5768->5769 5770 2763ed0 GetPEB 5769->5770 5770->5771 5771->5759 5773 276424d 5772->5773 5774 2764263 5772->5774 5775 2763f70 GetPEB 5773->5775 5778 2763f70 GetPEB 5774->5778 5781 276428b 5774->5781 5776 2764257 5775->5776 5777 2763ed0 GetPEB 5776->5777 5777->5774 5779 276427f 5778->5779 5780 2763ed0 GetPEB 5779->5780 5780->5781 5781->5759 5783 27641a0 5782->5783 5784 2764192 5782->5784 5783->5471 5785 2763f70 GetPEB 5784->5785 5786 2764197 5785->5786 5787 2763ed0 GetPEB 5786->5787 5787->5783 5794 2761ec0 5788->5794 5789 2761fbf 5790 2761fa4 5789->5790 5791 2763f70 GetPEB 5789->5791 5790->5471 5792 2761fe0 5791->5792 5793 2763ed0 GetPEB 5792->5793 5793->5790 5794->5789 5794->5790 5795 2763ed0 GetPEB 5794->5795 5796 2763f70 GetPEB 5794->5796 5795->5794 5796->5794 5814 276191f 5797->5814 5798 2761bce 5799 27636e0 GetPEB 5798->5799 5800 2761bd8 5799->5800 5802 2761bf9 5800->5802 5804 2763f70 GetPEB 5800->5804 5801 2761bac 5801->5471 5808 2761c2b 5802->5808 5809 2763f70 GetPEB 5802->5809 5803 2763f70 GetPEB 5803->5814 5805 2761bed 5804->5805 5807 2763ed0 GetPEB 5805->5807 5806 2764e50 GetPEB 5806->5814 5807->5802 5811 2761c53 5808->5811 5813 2763f70 GetPEB 5808->5813 5810 2761c1f 5809->5810 5812 2763ed0 GetPEB 5810->5812 5811->5471 5812->5808 5815 2761c47 5813->5815 5814->5798 5814->5801 5814->5803 5814->5806 5818 2763ed0 GetPEB 5814->5818 5899 27636e0 5814->5899 5817 2763ed0 GetPEB 5815->5817 5817->5811 5818->5814 5830 2762360 5819->5830 5820 27626c2 5822 27626b3 5820->5822 5823 27626eb 5820->5823 5824 2763f70 GetPEB 5820->5824 5821 2763f70 GetPEB 5821->5830 5822->5471 5823->5822 5827 2763f70 GetPEB 5823->5827 5825 27626df 5824->5825 5826 2763ed0 GetPEB 5825->5826 5826->5823 5828 2762707 5827->5828 5829 2763ed0 GetPEB 5828->5829 5829->5822 5830->5820 5830->5821 5830->5822 5831 2763ed0 GetPEB 5830->5831 5831->5830 5841 2762028 5832->5841 5833 27622c7 5834 27622bd 5833->5834 5835 27622ed 5833->5835 5836 2763f70 GetPEB 5833->5836 5834->5471 5835->5834 5840 2763f70 GetPEB 5835->5840 5838 27622e1 5836->5838 5837 2763f70 GetPEB 5837->5841 5839 2763ed0 GetPEB 5838->5839 5839->5835 5842 2762309 5840->5842 5841->5833 5841->5834 5841->5837 5843 2763ed0 GetPEB 5841->5843 5844 2763ed0 GetPEB 5842->5844 5843->5841 5844->5834 5848 2764ed6 5845->5848 5846 2764f5d 5846->5471 5847 2763f70 GetPEB 5847->5848 5848->5846 5848->5847 5849 2763ed0 GetPEB 5848->5849 5849->5848 5851 2761d0c 5850->5851 5854 2761d22 5850->5854 5852 2763f70 GetPEB 5851->5852 5853 2761d16 5852->5853 5855 2763ed0 GetPEB 5853->5855 5856 2761de2 5854->5856 5857 2763f70 GetPEB 5854->5857 5855->5854 5859 2761e16 5856->5859 5861 2763f70 GetPEB 5856->5861 5858 2761dd6 5857->5858 5860 2763ed0 GetPEB 5858->5860 5864 2764ec0 GetPEB 5859->5864 5860->5856 5862 2761e0a 5861->5862 5863 2763ed0 GetPEB 5862->5863 5863->5859 5865 2761e4a 5864->5865 5865->5471 5867 2765c00 5866->5867 5868 2765c16 5866->5868 5869 2763f70 GetPEB 5867->5869 5872 2765c3e 5868->5872 5873 2763f70 GetPEB 5868->5873 5870 2765c0a 5869->5870 5871 2763ed0 GetPEB 5870->5871 5871->5868 5876 2765cc2 5872->5876 5877 2765c89 5872->5877 5878 2763f70 GetPEB 5872->5878 5874 2765c32 5873->5874 5875 2763ed0 GetPEB 5874->5875 5875->5872 5876->5471 5880 2765cb1 5877->5880 5882 2763f70 GetPEB 5877->5882 5879 2765c7d 5878->5879 5881 2763ed0 GetPEB 5879->5881 5880->5471 5881->5877 5883 2765ca5 5882->5883 5884 2763ed0 GetPEB 5883->5884 5884->5880 5898 2762d28 5885->5898 5886 2763145 5886->5471 5887 27642e0 GetPEB 5887->5898 5888 2763126 5888->5886 5892 2763f70 GetPEB 5888->5892 5890 27635e0 GetPEB 5890->5898 5891 2763ed0 GetPEB 5891->5898 5893 2763139 5892->5893 5894 2763ed0 GetPEB 5893->5894 5894->5886 5895 2763f70 GetPEB 5895->5898 5897 2764240 GetPEB 5897->5898 5898->5886 5898->5887 5898->5888 5898->5890 5898->5891 5898->5895 5898->5897 5909 2762a80 5898->5909 5922 27656d0 5898->5922 5900 2763704 5899->5900 5901 2763729 5900->5901 5902 2763f70 GetPEB 5900->5902 5905 2763f70 GetPEB 5901->5905 5908 2763751 5901->5908 5903 276371d 5902->5903 5904 2763ed0 GetPEB 5903->5904 5904->5901 5906 2763745 5905->5906 5907 2763ed0 GetPEB 5906->5907 5907->5908 5908->5814 5908->5908 5917 2762aa0 5909->5917 5910 2762bc2 5911 2762c0f 5910->5911 5913 2762be7 5910->5913 5914 2763f70 GetPEB 5910->5914 5911->5898 5912 2763f70 GetPEB 5912->5917 5913->5911 5919 2763f70 GetPEB 5913->5919 5916 2762bdb 5914->5916 5915 2763ed0 GetPEB 5915->5917 5918 2763ed0 GetPEB 5916->5918 5917->5910 5917->5912 5917->5915 5918->5913 5920 2762c03 5919->5920 5921 2763ed0 GetPEB 5920->5921 5921->5911 5930 27656e1 5922->5930 5923 27657d5 5924 27657ce 5923->5924 5925 2763f70 GetPEB 5923->5925 5924->5898 5926 27657e8 5925->5926 5928 2763ed0 GetPEB 5926->5928 5927 2763f70 GetPEB 5927->5930 5928->5924 5929 2763ed0 GetPEB 5929->5930 5930->5923 5930->5924 5930->5927 5930->5929 5932 27646f7 5931->5932 5938 276470d 5931->5938 5933 2763f70 GetPEB 5932->5933 5934 2764701 5933->5934 5935 2763ed0 GetPEB 5934->5935 5935->5938 5936 2764780 5936->5503 5937 2764741 5942 2763f70 GetPEB 5937->5942 5945 2764772 5937->5945 5938->5936 5938->5937 5939 2763f70 GetPEB 5938->5939 5940 2764735 5939->5940 5941 2763ed0 GetPEB 5940->5941 5941->5937 5943 2764766 5942->5943 5944 2763ed0 GetPEB 5943->5944 5944->5945 5945->5503 5950 2764cc0 5946->5950 5947 2764da0 5947->5503 5948 2763f70 GetPEB 5948->5950 5949 2764ddf 5949->5947 5951 2763f70 GetPEB 5949->5951 5950->5947 5950->5948 5950->5949 5954 2763ed0 GetPEB 5950->5954 5952 2764df2 5951->5952 5953 2763ed0 GetPEB 5952->5953 5953->5947 5954->5950 5956 27638b5 5955->5956 5957 27638cb 5955->5957 5958 2763f70 GetPEB 5956->5958 5961 27638fd 5957->5961 5962 2763f70 GetPEB 5957->5962 5959 27638bf 5958->5959 5960 2763ed0 GetPEB 5959->5960 5960->5957 5964 2763932 5961->5964 5966 2763f70 GetPEB 5961->5966 5963 27638f1 5962->5963 5965 2763ed0 GetPEB 5963->5965 5969 2763f70 GetPEB 5964->5969 5971 276396a 5964->5971 5965->5961 5967 2763926 5966->5967 5968 2763ed0 GetPEB 5967->5968 5968->5964 5970 276395e 5969->5970 5973 2763ed0 GetPEB 5970->5973 5972 2763996 5971->5972 5974 2763f70 GetPEB 5971->5974 5977 27639ec 5972->5977 5978 2763f70 GetPEB 5972->5978 5973->5971 5975 276398a 5974->5975 5976 2763ed0 GetPEB 5975->5976 5976->5972 5977->5405 5979 27639e0 5978->5979 5980 2763ed0 GetPEB 5979->5980 5980->5977 5982 27654d6 5981->5982 5986 27654ec 5981->5986 5983 2763f70 GetPEB 5982->5983 5984 27654e0 5983->5984 5985 2763ed0 GetPEB 5984->5985 5985->5986 5987 2765546 5986->5987 5988 2763f70 GetPEB 5986->5988 5987->5539 5989 276553a 5988->5989 5990 2763ed0 GetPEB 5989->5990 5990->5987 5992 27635e0 GetPEB 5991->5992 5993 27637e4 5992->5993 5994 2763805 5993->5994 5995 2763f70 GetPEB 5993->5995 5998 276383a 5994->5998 5999 2763f70 GetPEB 5994->5999 5996 27637f9 5995->5996 5997 2763ed0 GetPEB 5996->5997 5997->5994 6001 2763862 5998->6001 6003 2763f70 GetPEB 5998->6003 6000 276382e 5999->6000 6002 2763ed0 GetPEB 6000->6002 6006 2763f70 GetPEB 6001->6006 6007 276388e 6001->6007 6002->5998 6004 2763856 6003->6004 6005 2763ed0 GetPEB 6004->6005 6005->6001 6008 2763882 6006->6008 6007->5405 6009 2763ed0 GetPEB 6008->6009 6009->6007 6019 276a8a6 6010->6019 6011 276a9b9 6012 276a9d8 6011->6012 6014 2763f70 GetPEB 6011->6014 6018 276a970 6012->6018 6020 2763f70 GetPEB 6012->6020 6015 276a9cc 6014->6015 6017 2763ed0 GetPEB 6015->6017 6017->6012 6018->5575 6019->6011 6019->6018 6021 2763ed0 GetPEB 6019->6021 6022 2763f70 GetPEB 6019->6022 6075 2764b90 6019->6075 6094 276aa20 6019->6094 6023 276a9f4 6020->6023 6021->6019 6022->6019 6024 2763ed0 GetPEB 6023->6024 6024->6018 6045 2769f29 6025->6045 6026 276a2fb 6031 276a31a 6026->6031 6034 2763f70 GetPEB 6026->6034 6027 276a2c8 6027->5575 6029 27635e0 GetPEB 6029->6045 6030 2764b90 GetPEB 6030->6045 6040 276a342 6031->6040 6041 2763f70 GetPEB 6031->6041 6032 276aa20 GetPEB 6032->6045 6033 2763ed0 GetPEB 6033->6045 6037 276a30e 6034->6037 6035 2764240 GetPEB 6035->6045 6036 27642e0 GetPEB 6036->6045 6039 2763ed0 GetPEB 6037->6039 6039->6031 6040->5575 6042 276a336 6041->6042 6044 2763ed0 GetPEB 6042->6044 6043 2763f70 GetPEB 6043->6045 6044->6040 6045->6026 6045->6027 6045->6029 6045->6030 6045->6032 6045->6033 6045->6035 6045->6036 6045->6043 6104 2761150 6045->6104 6113 276b270 6045->6113 6056 276a38f 6046->6056 6047 276a4a5 6047->5575 6048 276a4d1 6049 276a4f0 6048->6049 6051 2763f70 GetPEB 6048->6051 6057 276a518 6049->6057 6059 2763f70 GetPEB 6049->6059 6053 276a4e4 6051->6053 6052 27642e0 GetPEB 6052->6056 6055 2763ed0 GetPEB 6053->6055 6054 2763f70 GetPEB 6054->6056 6055->6049 6056->6047 6056->6048 6056->6052 6056->6054 6058 2763ed0 GetPEB 6056->6058 6126 2764390 6056->6126 6057->5575 6058->6056 6060 276a50c 6059->6060 6061 2763ed0 GetPEB 6060->6061 6061->6057 6073 276a565 6062->6073 6063 2764b90 GetPEB 6063->6073 6064 276a769 6064->5575 6065 276aa20 GetPEB 6065->6073 6066 276a85a 6067 2764240 GetPEB 6066->6067 6069 276a861 6067->6069 6069->5575 6071 2764790 GetPEB 6071->6073 6072 2763f70 GetPEB 6072->6073 6073->6063 6073->6064 6073->6065 6073->6066 6073->6071 6073->6072 6074 2763ed0 GetPEB 6073->6074 6151 27649c0 6073->6151 6161 2764870 6073->6161 6074->6073 6076 2764ba2 6075->6076 6077 2764bb8 6075->6077 6078 2763f70 GetPEB 6076->6078 6081 2763f70 GetPEB 6077->6081 6085 2764bf2 6077->6085 6079 2764bac 6078->6079 6080 2763ed0 GetPEB 6079->6080 6080->6077 6082 2764be6 6081->6082 6083 2763ed0 GetPEB 6082->6083 6083->6085 6084 2764c1f 6084->6019 6085->6084 6086 2764c53 6085->6086 6087 2763f70 GetPEB 6085->6087 6090 2763f70 GetPEB 6086->6090 6093 2764c7d 6086->6093 6088 2764c47 6087->6088 6089 2763ed0 GetPEB 6088->6089 6089->6086 6091 2764c71 6090->6091 6092 2763ed0 GetPEB 6091->6092 6092->6093 6093->6019 6103 276aa3d 6094->6103 6095 276acf0 6097 2763f70 GetPEB 6095->6097 6098 276abec 6095->6098 6096 27635e0 GetPEB 6096->6103 6100 276ad03 6097->6100 6098->6019 6099 2763f70 GetPEB 6099->6103 6101 2763ed0 GetPEB 6100->6101 6101->6098 6102 2763ed0 GetPEB 6102->6103 6103->6095 6103->6096 6103->6098 6103->6099 6103->6102 6111 2761160 6104->6111 6105 2761253 6106 276124b 6105->6106 6107 2763f70 GetPEB 6105->6107 6106->6045 6108 2761266 6107->6108 6110 2763ed0 GetPEB 6108->6110 6109 2763f70 GetPEB 6109->6111 6110->6106 6111->6105 6111->6106 6111->6109 6112 2763ed0 GetPEB 6111->6112 6112->6111 6114 276b290 6113->6114 6115 276b2c1 6114->6115 6116 276b39f 6114->6116 6118 2763ed0 GetPEB 6114->6118 6119 2763f70 GetPEB 6114->6119 6115->6045 6120 2764ff0 6116->6120 6118->6114 6119->6114 6121 276502f 6120->6121 6122 2765019 6120->6122 6121->6115 6123 2763f70 GetPEB 6122->6123 6124 2765023 6123->6124 6125 2763ed0 GetPEB 6124->6125 6125->6121 6127 276452e 6126->6127 6128 27643a4 6126->6128 6127->6056 6128->6127 6129 2763f70 GetPEB 6128->6129 6132 27643f6 6128->6132 6130 27643ea 6129->6130 6131 2763ed0 GetPEB 6130->6131 6131->6132 6133 2763f70 GetPEB 6132->6133 6139 2764456 6132->6139 6145 2764514 6132->6145 6134 276444a 6133->6134 6135 2763ed0 GetPEB 6134->6135 6135->6139 6136 27644da 6146 2764570 6136->6146 6138 2763f70 GetPEB 6138->6139 6139->6136 6139->6138 6141 2763ed0 GetPEB 6139->6141 6141->6139 6142 2763f70 GetPEB 6143 2764508 6142->6143 6144 2763ed0 GetPEB 6143->6144 6144->6145 6145->6056 6147 276458b 6146->6147 6148 27644f0 6146->6148 6147->6148 6149 2763f70 GetPEB 6147->6149 6150 2763ed0 GetPEB 6147->6150 6148->6142 6148->6145 6149->6147 6150->6147 6152 27649e0 6151->6152 6153 2764b54 6152->6153 6154 2764b4a 6152->6154 6155 2763f70 GetPEB 6152->6155 6158 27635e0 GetPEB 6152->6158 6160 2763ed0 GetPEB 6152->6160 6153->6154 6156 2763f70 GetPEB 6153->6156 6154->6073 6155->6152 6157 2764b67 6156->6157 6159 2763ed0 GetPEB 6157->6159 6158->6152 6159->6154 6160->6152 6168 2764890 6161->6168 6162 276498e 6163 2764986 6162->6163 6164 2763f70 GetPEB 6162->6164 6163->6073 6165 27649a1 6164->6165 6166 2763ed0 GetPEB 6165->6166 6166->6163 6167 2763f70 GetPEB 6167->6168 6168->6162 6168->6163 6168->6167 6169 2763ed0 GetPEB 6168->6169 6169->6168 6177 2762740 6170->6177 6171 27629a1 6171->5608 6172 2762a5e 6174 2764240 GetPEB 6172->6174 6173 27642e0 GetPEB 6173->6177 6176 2762a69 6174->6176 6175 2763f70 GetPEB 6175->6177 6176->5608 6177->6171 6177->6172 6177->6173 6177->6175 6178 2763ed0 GetPEB 6177->6178 6178->6177 6187 2765590 6179->6187 6180 2765684 6181 276567c 6180->6181 6182 2763f70 GetPEB 6180->6182 6181->5639 6183 2765697 6182->6183 6185 2763ed0 GetPEB 6183->6185 6184 2763f70 GetPEB 6184->6187 6185->6181 6186 2763ed0 GetPEB 6186->6187 6187->6180 6187->6181 6187->6184 6187->6186 6196 2761010 6188->6196 6189 2761109 6190 2761101 6189->6190 6192 2763f70 GetPEB 6189->6192 6190->5658 6191 2763f70 GetPEB 6191->6196 6193 276111c 6192->6193 6194 2763ed0 GetPEB 6193->6194 6194->6190 6195 2763ed0 GetPEB 6195->6196 6196->6189 6196->6190 6196->6191 6196->6195 6205 27673f2 6197->6205 6198 27635e0 GetPEB 6198->6205 6199 2767559 6200 2767578 6199->6200 6202 2763f70 GetPEB 6199->6202 6200->5699 6201 276750d 6201->5699 6203 276756c 6202->6203 6206 2763ed0 GetPEB 6203->6206 6204 2763f70 GetPEB 6204->6205 6205->6198 6205->6199 6205->6201 6205->6204 6207 2763ed0 GetPEB 6205->6207 6206->6200 6207->6205 6340 2766450 6341 2766470 6340->6341 6342 276645a 6340->6342 6346 27642e0 GetPEB 6341->6346 6349 2766507 6341->6349 6343 2763f70 GetPEB 6342->6343 6344 2766464 6343->6344 6345 2763ed0 GetPEB 6344->6345 6345->6341 6347 27664e8 6346->6347 6348 2764180 GetPEB 6347->6348 6347->6349 6348->6349 6350 2767590 6359 2767704 6350->6359 6351 27635e0 GetPEB 6351->6359 6352 276773a 6353 276798a 6354 27679a9 6353->6354 6355 2763f70 GetPEB 6353->6355 6356 276799d 6355->6356 6358 2763ed0 GetPEB 6356->6358 6357 2763ed0 GetPEB 6357->6359 6358->6354 6359->6351 6359->6352 6359->6353 6359->6357 6360 2763f70 GetPEB 6359->6360 6360->6359 6367 2764e10 GetPEB 6368 2762c90 6369 2762ca9 6368->6369 6373 2762cbf 6368->6373 6370 2763f70 GetPEB 6369->6370 6371 2762cb3 6370->6371 6372 2763ed0 GetPEB 6371->6372 6372->6373 6374 2769910 6379 2769930 6374->6379 6375 2769b42 6377 2769ac2 6375->6377 6378 2763f70 GetPEB 6375->6378 6376 2769b80 GetPEB 6376->6379 6380 2769b55 6378->6380 6379->6375 6379->6376 6379->6377 6381 2763f70 GetPEB 6379->6381 6383 2763ed0 GetPEB 6379->6383 6382 2763ed0 GetPEB 6380->6382 6381->6379 6382->6377 6383->6379 6390 2764800 6391 2764ca0 GetPEB 6390->6391 6392 2764815 6391->6392 6393 2767d00 6394 27635e0 GetPEB 6393->6394 6395 2767d12 6394->6395 6396 2767d33 6395->6396 6397 2763f70 GetPEB 6395->6397 6400 2763f70 GetPEB 6396->6400 6404 2767d79 6396->6404 6398 2767d27 6397->6398 6399 2763ed0 GetPEB 6398->6399 6399->6396 6401 2767d6d 6400->6401 6402 2763ed0 GetPEB 6401->6402 6402->6404 6403 2767da1 6407 2767dcd 6403->6407 6409 2763f70 GetPEB 6403->6409 6404->6403 6405 2763f70 GetPEB 6404->6405 6406 2767d95 6405->6406 6408 2763ed0 GetPEB 6406->6408 6408->6403 6410 2767dc1 6409->6410 6411 2763ed0 GetPEB 6410->6411 6411->6407 6427 276b288 6431 276b290 6427->6431 6428 276b2c1 6429 276b39f 6430 2764ff0 GetPEB 6429->6430 6430->6428 6431->6428 6431->6429 6432 2763f70 GetPEB 6431->6432 6433 2763ed0 GetPEB 6431->6433 6432->6431 6433->6431 6434 2764889 6439 2764890 6434->6439 6435 276498e 6436 2764986 6435->6436 6437 2763f70 GetPEB 6435->6437 6438 27649a1 6437->6438 6440 2763ed0 GetPEB 6438->6440 6439->6435 6439->6436 6441 2763f70 GetPEB 6439->6441 6442 2763ed0 GetPEB 6439->6442 6440->6436 6441->6439 6442->6439

              Executed Functions

              Control-flow Graph

              C-Code - Quality: 68%
              			E02763A10(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
              				short _v524;
              				char _v1044;
              				short _v1588;
              				intOrPtr _v1590;
              				struct _WIN32_FIND_DATAW _v1636;
              				void* _v1640;
              				intOrPtr _v1652;
              				void* __ebx;
              				void* __ebp;
              				void* _t22;
              				void* _t24;
              				intOrPtr* _t27;
              				void* _t28;
              				intOrPtr* _t31;
              				intOrPtr* _t33;
              				intOrPtr* _t35;
              				signed int _t41;
              				signed int _t47;
              				intOrPtr* _t51;
              				intOrPtr _t56;
              				void* _t57;
              				void* _t92;
              				void* _t93;
              				void* _t94;
              				void* _t95;
              				void* _t96;
              				void* _t97;
              				void* _t99;
              
              				_t92 = __ecx;
              				_t96 = __edx;
              				_v1640 = __ecx;
              				_t22 = 0x56dbd88;
              				_t57 = _v1640;
              				while(1) {
              					L1:
              					_t99 = _t22 - 0x25e46432;
              					if(_t99 > 0) {
              						break;
              					}
              					if(_t99 == 0) {
              						_t94 = E027635E0(0x276d260);
              						_t31 =  *0x276dfa8;
              						if(_t31 == 0) {
              							_t31 = E02763ED0(_t57, E02763F70(0xff9ecf59), 0x8a3377c7, _t96);
              							 *0x276dfa8 = _t31;
              						}
              						 *_t31( &_v524, 0x104, _t94, _t92);
              						_t33 =  *0x276e510;
              						_t97 = _t97 + 0x10;
              						if(_t33 == 0) {
              							_t33 = E02763ED0(_t57, E02763F70(0xa2ce093f), 0x4fee74f4, _t96);
              							 *0x276e510 = _t33;
              						}
              						_t93 =  *_t33();
              						_t35 =  *0x276e728;
              						if(_t35 == 0) {
              							_t35 = E02763ED0(_t57, E02763F70(0xa2ce093f), 0x60520f89, _t96);
              							 *0x276e728 = _t35;
              						}
              						 *_t35(_t93, 0, _t94);
              						_t92 = _v1652;
              						_t22 = 0x2606abcf;
              						continue;
              					} else {
              						if(_t22 == 0x3269279) {
              							if( *0x276e494 == 0) {
              								 *0x276e494 = E02763ED0(_t57, E02763F70(0xa2ce093f), 0x9578f1de, _t96);
              							}
              							_t41 = FindNextFileW(_t57,  &_v1636); // executed
              							asm("sbb eax, eax");
              							_t22 = ( ~_t41 & 0xef51f558) + 0x2865deb9;
              							continue;
              						} else {
              							if(_t22 == 0x56dbd88) {
              								_t22 = 0x25e46432;
              								continue;
              							} else {
              								if(_t22 != 0x17b7d411) {
              									L30:
              									if(_t22 != 0x121c9a4f) {
              										continue;
              									} else {
              										return _t22;
              									}
              								} else {
              									if((_v1636.dwFileAttributes & 0x00000010) == 0) {
              										_t47 = _a4( &_v1636, _a8);
              										asm("sbb eax, eax");
              										_t22 = ( ~_t47 & 0xdac0b3c0) + 0x2865deb9;
              									} else {
              										if(_v1636.cFileName != 0x2e) {
              											L12:
              											if(_t96 == 0) {
              												goto L11;
              											} else {
              												_t95 = E027635E0(0x276d290);
              												_t51 =  *0x276dfa8;
              												if(_t51 == 0) {
              													_t51 = E02763ED0(_t57, E02763F70(0xff9ecf59), 0x8a3377c7, _t96);
              													 *0x276dfa8 = _t51;
              												}
              												 *_t51( &_v1044, 0x104, _t95, _t92,  &(_v1636.cFileName));
              												E02763A10( &_v1044, _t96, _a4, _a8);
              												_t97 = _t97 + 0x1c;
              												E02763580(_t95);
              												_t22 = 0x3269279;
              											}
              										} else {
              											_t56 = _v1590;
              											if(_t56 == 0 || _t56 == 0x2e && _v1588 == 0) {
              												L11:
              												_t22 = 0x3269279;
              											} else {
              												goto L12;
              											}
              										}
              									}
              									continue;
              								}
              							}
              						}
              					}
              					L40:
              				}
              				if(_t22 == 0x2606abcf) {
              					if( *0x276e4c0 == 0) {
              						 *0x276e4c0 = E02763ED0(_t57, E02763F70(0xa2ce093f), 0xb3ad1bd5, _t96);
              					}
              					_t24 = FindFirstFileW( &_v524,  &_v1636); // executed
              					_t57 = _t24;
              					if(_t57 == 0xffffffff) {
              						return _t24;
              					} else {
              						_t22 = 0x17b7d411;
              						goto L1;
              					}
              				} else {
              					if(_t22 == 0x2865deb9) {
              						_t27 =  *0x276db60; // 0x764f3c70
              						if(_t27 == 0) {
              							_t27 = E02763ED0(_t57, E02763F70(0xa2ce093f), 0xe2368c4e, _t96);
              							 *0x276db60 = _t27;
              						}
              						_t28 =  *_t27(_t57); // executed
              						return _t28;
              					}
              					goto L30;
              				}
              				goto L40;
              			}































              0x02763a1a
              0x02763a1c
              0x02763a1e
              0x02763a22
              0x02763a27
              0x02763a30
              0x02763a30
              0x02763a30
              0x02763a35
              0x00000000
              0x00000000
              0x02763a3b
              0x02763b8a
              0x02763b8c
              0x02763b93
              0x02763ba6
              0x02763bab
              0x02763bab
              0x02763bbf
              0x02763bc1
              0x02763bc6
              0x02763bcb
              0x02763bde
              0x02763be3
              0x02763be3
              0x02763bea
              0x02763bec
              0x02763bf3
              0x02763c06
              0x02763c0b
              0x02763c0b
              0x02763c14
              0x02763c16
              0x02763c1a
              0x00000000
              0x02763a41
              0x02763a46
              0x02763b48
              0x02763b60
              0x02763b60
              0x02763b6b
              0x02763b6f
              0x02763b76
              0x00000000
              0x02763a4c
              0x02763a51
              0x02763b37
              0x00000000
              0x02763a57
              0x02763a5c
              0x02763c32
              0x02763c37
              0x00000000
              0x02763c47
              0x02763c47
              0x02763c47
              0x02763a62
              0x02763a67
              0x02763b1d
              0x02763b26
              0x02763b2d
              0x02763a6d
              0x02763a73
              0x02763a94
              0x02763a96
              0x00000000
              0x02763a98
              0x02763aa2
              0x02763aa4
              0x02763aab
              0x02763abe
              0x02763ac3
              0x02763ac3
              0x02763adc
              0x02763af8
              0x02763afd
              0x02763b02
              0x02763b07
              0x02763b07
              0x02763a75
              0x02763a75
              0x02763a7d
              0x02763a8d
              0x02763a8d
              0x00000000
              0x00000000
              0x00000000
              0x02763a7d
              0x02763a73
              0x00000000
              0x02763a67
              0x02763a5c
              0x02763a51
              0x02763a46
              0x00000000
              0x02763a3b
              0x02763c29
              0x02763c4f
              0x02763c67
              0x02763c67
              0x02763c79
              0x02763c7b
              0x02763c80
              0x02763cbd
              0x02763c82
              0x02763c82
              0x00000000
              0x02763c82
              0x02763c2b
              0x02763c30
              0x02763c8c
              0x02763c93
              0x02763ca6
              0x02763cab
              0x02763cab
              0x02763cb1
              0x00000000
              0x02763cb1
              0x00000000
              0x02763c30
              0x00000000

              APIs
              • FindNextFileW.KERNELBASE(00000000,?), ref: 02763B6B
              • FindFirstFileW.KERNELBASE(?,?,?,?,00000001,00000000), ref: 02763C79
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID: FileFind$FirstNext
              • String ID: .$2d%$2d%$p<Ov
              • API String ID: 1690352074-1245611715
              • Opcode ID: c9ef446560f0f0cd59b7d3c6b5f96c878e6ba9629a9b88d0b95da125ab3cbca3
              • Instruction ID: aa700969b248e8cb25260a9d4caa9b690ad39fe3749ed155c5579e7a39e955f3
              • Opcode Fuzzy Hash: c9ef446560f0f0cd59b7d3c6b5f96c878e6ba9629a9b88d0b95da125ab3cbca3
              • Instruction Fuzzy Hash: D4514874B143454BDA24EA74D89CA7B36A29B90F14F04099DFD17D7280EF7ADC90CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 82 27695e0-27695f8 83 2769600-2769605 82->83 84 27697c6-27697cb 83->84 85 276960b 83->85 86 27697d1 84->86 87 276989c-27698a1 84->87 88 2769611-2769616 85->88 89 2769779-2769781 85->89 94 27697d7-27697dc 86->94 95 276986b-2769897 86->95 92 27698a7-27698b1 call 27679d0 87->92 93 2769761-2769766 87->93 96 2769756-276975b 88->96 97 276961c 88->97 90 2769783-276979b call 2763f70 call 2763ed0 89->90 91 27697a1-27697b3 89->91 90->91 112 27697b7-27697c1 91->112 92->83 93->83 103 276976c-2769778 93->103 100 27697de-27697e3 94->100 101 276983a-2769841 94->101 95->83 96->93 102 27698b6-27698bd 96->102 104 2769622-2769627 97->104 105 27696df-27696e6 97->105 100->93 117 27697e9-27697f0 100->117 113 2769843-2769859 call 2763f70 call 2763ed0 101->113 114 276985e-2769866 101->114 110 27698bf-27698d5 call 2763f70 call 2763ed0 102->110 111 27698da-27698e5 102->111 106 2769685-27696da 104->106 107 2769629-276962e 104->107 115 2769703-276970e 105->115 116 27696e8-27696fe call 2763f70 call 2763ed0 105->116 106->83 107->93 118 2769634-276963b 107->118 110->111 132 27698e9-27698fd call 2763190 111->132 112->83 113->114 114->83 137 2769710-2769726 call 2763f70 call 2763ed0 115->137 138 276972b-276973c 115->138 116->115 123 27697f2-2769808 call 2763f70 call 2763ed0 117->123 124 276980d-2769835 call 2763dc0 117->124 126 276963d-2769653 call 2763f70 call 2763ed0 118->126 127 2769658-2769667 OpenSCManagerW 118->127 123->124 124->83 126->127 140 276967b-2769680 127->140 141 2769669-2769679 127->141 154 2769900-276990c 132->154 137->138 138->154 162 2769742-2769751 138->162 140->83 141->83 162->83
              C-Code - Quality: 68%
              			E027695E0() {
              				char _v524;
              				signed int _v528;
              				char _v536;
              				void* _v544;
              				void* __ebx;
              				void* __ebp;
              				void* _t34;
              				intOrPtr* _t38;
              				intOrPtr* _t41;
              				intOrPtr* _t48;
              				intOrPtr* _t51;
              				intOrPtr* _t58;
              				intOrPtr* _t60;
              				intOrPtr* _t61;
              				void* _t69;
              				void* _t73;
              				intOrPtr* _t74;
              				void* _t110;
              				void* _t111;
              				intOrPtr _t112;
              				void* _t115;
              				void* _t116;
              
              				_t73 = 0;
              				_t34 = 0x4fd8c1c;
              				_t110 = _v528;
              				_t2 = _t73 + 1; // 0x1
              				_t112 = _t2;
              				goto L1;
              				do {
              					while(1) {
              						L1:
              						_t115 = _t34 - 0xc659709;
              						if(_t115 > 0) {
              							break;
              						}
              						if(_t115 == 0) {
              							_t74 =  *0x276de60;
              							__eflags = _t74;
              							if(_t74 == 0) {
              								_t74 = E02763ED0(_t73, E02763F70(0xe0348a28), 0x24548812, _t112);
              								 *0x276de60 = _t74;
              							}
              							_t48 =  *_t74(0, _v528, 0, 0,  *0x276e76c + 4); // executed
              							__eflags = _t48;
              							_t34 = 0x30f84703;
              							_t73 =  ==  ? _t112 : _t73;
              							continue;
              						} else {
              							_t116 = _t34 - 0x4fd8c1c;
              							if(_t116 > 0) {
              								__eflags = _t34 - 0x82e4cbf;
              								if(_t34 == 0x82e4cbf) {
              									_t51 =  *0x276de60;
              									__eflags = _t51;
              									if(_t51 == 0) {
              										_t51 = E02763ED0(_t73, E02763F70(0xe0348a28), 0x24548812, _t112);
              										 *0x276de60 = _t51;
              									}
              									 *_t51(0, 0x25, 0, 0,  &_v524); // executed
              									__eflags =  *0x276e76c + 0x434;
              									E02763190( *0x276e76c + 0x434);
              									goto L41;
              								} else {
              									goto L20;
              								}
              							} else {
              								if(_t116 == 0) {
              									_t58 =  *0x276e510;
              									__eflags = _t58;
              									if(_t58 == 0) {
              										_t58 = E02763ED0(_t73, E02763F70(0xa2ce093f), 0x4fee74f4, _t112);
              										 *0x276e510 = _t58;
              									}
              									_t111 =  *_t58();
              									_t60 =  *0x276e284;
              									__eflags = _t60;
              									if(_t60 == 0) {
              										_t60 = E02763ED0(_t73, E02763F70(0xa2ce093f), 0xafb2ca58, _t112);
              										 *0x276e284 = _t60;
              									}
              									_t61 =  *_t60(_t111, 8, 0x464);
              									 *0x276e76c = _t61;
              									__eflags = _t61;
              									if(_t61 == 0) {
              										L41:
              										return _t73;
              									} else {
              										 *((intOrPtr*)(_t61 + 0x21c)) = E02767BA0;
              										_t34 = 0x44d6e56;
              										continue;
              									}
              								} else {
              									if(_t34 == 0x2afa4be) {
              										_v528 = 0x9864;
              										_v528 = (_v528 << 4) + _v528;
              										_v528 = _v528 + 0x155;
              										_v528 = _v528 * 0x32;
              										_v528 = _v528 | 0xe97decb7;
              										_t82 = _v528;
              										_t34 = 0x1996b0b4;
              										_v528 = (_v528 - (0xaf286bcb * _t82 >> 0x20) >> 1) + (0xaf286bcb * _t82 >> 0x20) >> 5;
              										_v528 = _v528 ^ 0x06286be8;
              										continue;
              									} else {
              										if(_t34 != 0x44d6e56) {
              											goto L20;
              										} else {
              											if( *0x276de2c == 0) {
              												 *0x276de2c = E02763ED0(_t73, E02763F70(0x1f907751), 0x39f8d615, _t112);
              											}
              											_t69 = OpenSCManagerW(0, 0, 0xf003f); // executed
              											_t110 = _t69;
              											if(_t110 == 0) {
              												_t34 = 0x20c6c01c;
              											} else {
              												 *((intOrPtr*)( *0x276e76c + 0x210)) = _t112;
              												_t34 = 0x2afa4be;
              											}
              											continue;
              										}
              									}
              								}
              							}
              						}
              						L42:
              					}
              					__eflags = _t34 - 0x20c6c01c;
              					if(__eflags > 0) {
              						__eflags = _t34 - 0x30f84703;
              						if(_t34 != 0x30f84703) {
              							goto L20;
              						} else {
              							E027679D0(_t112);
              							_t34 = 0x1f3468e2;
              							goto L1;
              						}
              					} else {
              						if(__eflags == 0) {
              							_v528 = 0x9733;
              							_v528 = _v528 + 0xffffdc26;
              							_v528 = _v528 ^ 0x00007345;
              							 *((intOrPtr*)( *0x276e76c + 0x220)) = 0x2767b90;
              							_t34 = 0xc659709;
              							goto L1;
              						} else {
              							__eflags = _t34 - 0x1996b0b4;
              							if(_t34 == 0x1996b0b4) {
              								_t38 =  *0x276e244;
              								__eflags = _t38;
              								if(_t38 == 0) {
              									_t38 = E02763ED0(_t73, E02763F70(0x1f907751), 0x16cd4f34, _t112);
              									 *0x276e244 = _t38;
              								}
              								 *_t38(_t110);
              								_t34 = 0xc659709;
              								goto L1;
              							} else {
              								__eflags = _t34 - 0x1f3468e2;
              								if(_t34 != 0x1f3468e2) {
              									goto L20;
              								} else {
              									_t41 =  *0x276e4b4;
              									__eflags = _t41;
              									if(_t41 == 0) {
              										_t41 = E02763ED0(_t73, E02763F70(0xa2ce093f), 0x4d8b137f, _t112);
              										 *0x276e4b4 = _t41;
              									}
              									 *_t41(0,  &_v524, 0x104);
              									 *((intOrPtr*)( *0x276e76c + 0x214)) = E02763DC0( &_v536);
              									_t34 = 0x82e4cbf;
              									goto L1;
              								}
              							}
              						}
              					}
              					goto L42;
              					L20:
              					__eflags = _t34 - 0xb3cfb9c;
              				} while (_t34 != 0xb3cfb9c);
              				return _t73;
              				goto L42;
              			}

























              0x027695e8
              0x027695ea
              0x027695f1
              0x027695f5
              0x027695f5
              0x027695f8
              0x02769600
              0x02769600
              0x02769600
              0x02769600
              0x02769605
              0x00000000
              0x00000000
              0x0276960b
              0x02769779
              0x0276977f
              0x02769781
              0x02769799
              0x0276979b
              0x0276979b
              0x027697b5
              0x027697b7
              0x027697b9
              0x027697be
              0x00000000
              0x02769611
              0x02769611
              0x02769616
              0x02769756
              0x0276975b
              0x027698b6
              0x027698bb
              0x027698bd
              0x027698d0
              0x027698d5
              0x027698d5
              0x027698e7
              0x027698f2
              0x027698f8
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0276961c
              0x0276961c
              0x027696df
              0x027696e4
              0x027696e6
              0x027696f9
              0x027696fe
              0x027696fe
              0x02769705
              0x02769707
              0x0276970c
              0x0276970e
              0x02769721
              0x02769726
              0x02769726
              0x02769733
              0x02769735
              0x0276973a
              0x0276973c
              0x02769903
              0x0276990c
              0x02769742
              0x02769742
              0x0276974c
              0x00000000
              0x0276974c
              0x02769622
              0x02769627
              0x02769685
              0x02769698
              0x0276969c
              0x027696a9
              0x027696b2
              0x027696ba
              0x027696c0
              0x027696ce
              0x027696d2
              0x00000000
              0x02769629
              0x0276962e
              0x00000000
              0x02769634
              0x0276963b
              0x02769653
              0x02769653
              0x02769661
              0x02769663
              0x02769667
              0x0276967b
              0x02769669
              0x0276966e
              0x02769674
              0x02769674
              0x00000000
              0x02769667
              0x0276962e
              0x02769627
              0x0276961c
              0x02769616
              0x00000000
              0x0276960b
              0x027697c6
              0x027697cb
              0x0276989c
              0x027698a1
              0x00000000
              0x027698a7
              0x027698a7
              0x027698ac
              0x00000000
              0x027698ac
              0x027697d1
              0x027697d1
              0x0276986b
              0x02769873
              0x0276987b
              0x02769888
              0x02769892
              0x00000000
              0x027697d7
              0x027697d7
              0x027697dc
              0x0276983a
              0x0276983f
              0x02769841
              0x02769854
              0x02769859
              0x02769859
              0x0276985f
              0x02769861
              0x00000000
              0x027697de
              0x027697de
              0x027697e3
              0x00000000
              0x027697e9
              0x027697e9
              0x027697ee
              0x027697f0
              0x02769803
              0x02769808
              0x02769808
              0x02769819
              0x0276982a
              0x02769830
              0x00000000
              0x02769830
              0x027697e3
              0x027697dc
              0x027697d1
              0x00000000
              0x02769761
              0x02769761
              0x02769761
              0x02769778
              0x00000000

              APIs
              • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,0165F62F,?,?), ref: 02769661
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID: ManagerOpen
              • String ID: Es
              • API String ID: 1889721586-98273593
              • Opcode ID: 77baec06376fa2d7d7f32911937f70839b1045c35fe386d8bc8049b4164bfcd8
              • Instruction ID: 7cf59552f2ff410cf2520b96a362d6531278d06368a7dfcc43877246d7b5bb8f
              • Opcode Fuzzy Hash: 77baec06376fa2d7d7f32911937f70839b1045c35fe386d8bc8049b4164bfcd8
              • Instruction Fuzzy Hash: 33719230B44302CBDB54EF68959C77A72E69B90748F14481DFA05EB280EB74DD05CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 164 27631f0-2763206 165 276320a-276320f 164->165 166 2763210-2763215 165->166 167 2763312-2763317 166->167 168 276321b 166->168 169 27633c4-27633c8 167->169 170 276331d-2763322 167->170 171 27633d4-27633dc 168->171 172 2763221-2763226 168->172 177 276341d-2763427 169->177 178 27633ca-27633cf 169->178 173 27633b1-27633bf call 2763dc0 170->173 174 2763328-276332d 170->174 179 27633de-27633f6 call 2763f70 call 2763ed0 171->179 180 27633fc-276341b 171->180 175 27632ff-276330d 172->175 176 276322c-2763231 172->176 173->165 182 276332f-2763336 174->182 183 2763399-276339e 174->183 175->166 184 2763237-276323c 176->184 185 27632c5-27632cd 176->185 178->166 179->180 180->177 189 2763353-276335e 182->189 190 2763338-276334e call 2763f70 call 2763ed0 182->190 183->166 191 27633a4-27633ae 183->191 184->183 192 2763242-27632c0 184->192 193 27632cf-27632e7 call 2763f70 call 2763ed0 185->193 194 27632ed-27632fa 185->194 204 2763360-2763376 call 2763f70 call 2763ed0 189->204 205 276337b-2763389 RtlAllocateHeap 189->205 190->189 192->165 193->194 194->165 204->205 205->177 209 276338f-2763394 205->209 209->165
              C-Code - Quality: 71%
              			E027631F0() {
              				void* __ebx;
              				void* __ecx;
              				void* __ebp;
              				void* _t42;
              				intOrPtr* _t46;
              				void* _t49;
              				intOrPtr _t69;
              				void** _t70;
              				intOrPtr* _t74;
              				intOrPtr* _t87;
              				signed int _t94;
              				void* _t99;
              				void* _t100;
              				signed int _t101;
              				void* _t102;
              				void* _t103;
              
              				_t69 =  *((intOrPtr*)(_t102 + 0xc));
              				_t42 = 0x1dcb8165;
              				_t101 =  *(_t102 + 0x10);
              				_t99 =  *(_t102 + 0x14);
              				_t94 =  *(_t102 + 0x18);
              				while(1) {
              					L1:
              					do {
              						while(1) {
              							L2:
              							_t103 = _t42 - 0x203fc101;
              							if(_t103 > 0) {
              								break;
              							}
              							if(_t103 == 0) {
              								_t87 =  *0x276e278;
              								if(_t87 == 0) {
              									_t87 = E02763ED0(_t69, E02763F70(0xa2ce093f), 0x1db67941, _t101);
              									 *0x276e278 = _t87;
              								}
              								 *_t87(_t99 + 0x14, _t101 + 0x2c, (_t94 - _t101 - 0x2c >> 1) + 1);
              								_t70 =  *(_t102 + 0x1c);
              								 *(_t99 + 0x10) =  *_t70;
              								_t70[9] = _t70[9] + 1;
              								 *_t70 = _t99;
              								L29:
              								return 1;
              							} else {
              								if(_t42 == 0x18e4ac0) {
              									_t42 =  ==  ? 0x32c3cf3c : 0x23f8715f;
              									continue;
              								} else {
              									if(_t42 == 0x12c9849e) {
              										_t74 =  *0x276e050;
              										if(_t74 == 0) {
              											_t74 = E02763ED0(_t69, E02763F70(0x6cce7f1d), 0xb1183767, _t101);
              											 *0x276e050 = _t74;
              										}
              										_t94 =  *_t74(_t101 + 0x2c);
              										_t42 = 0x268977c6;
              										while(1) {
              											L1:
              											goto L2;
              										}
              									} else {
              										if(_t42 != 0x1dcb8165) {
              											goto L21;
              										} else {
              											 *(_t102 + 0x10) = 0xfc75;
              											 *(_t102 + 0x10) =  *(_t102 + 0x10) << 6;
              											 *(_t102 + 0x10) = ( *(_t102 + 0x10) << 6) +  *(_t102 + 0x10);
              											 *(_t102 + 0x10) =  *(_t102 + 0x10) << 2;
              											 *(_t102 + 0x10) =  *(_t102 + 0x10) ^ 0xce740b24;
              											 *(_t102 + 0x18) = 0x4730;
              											 *(_t102 + 0x18) =  *(_t102 + 0x18) + 0xffff1e2c;
              											_t42 = 0x12c9849e;
              											 *(_t102 + 0x18) = 0x88888889 *  *(_t102 + 0x18) >> 0x20 >> 3;
              											 *(_t102 + 0x18) =  *(_t102 + 0x18) + 0xffffd061;
              											 *(_t102 + 0x18) =  *(_t102 + 0x18) ^ 0x0f075745;
              											 *(_t102 + 0x18) =  *(_t102 + 0x18) + 0xffff0e80;
              											 *(_t102 + 0x18) =  *(_t102 + 0x18) + 0xf7d9;
              											 *(_t102 + 0x18) =  *(_t102 + 0x18) ^ 0x93f42d76;
              											while(1) {
              												L1:
              												goto L2;
              											}
              										}
              									}
              								}
              							}
              							L30:
              						}
              						if(_t42 == 0x23f8715f) {
              							if(_t69 !=  *(_t102 + 0x10)) {
              								goto L29;
              							} else {
              								_t42 = 0x32c3cf3c;
              								goto L2;
              							}
              						} else {
              							if(_t42 == 0x268977c6) {
              								_t69 = E02763DC0(_t94);
              								_t42 = 0x18e4ac0;
              								goto L1;
              							} else {
              								if(_t42 != 0x32c3cf3c) {
              									goto L21;
              								} else {
              									_t46 =  *0x276e510;
              									if(_t46 == 0) {
              										_t46 = E02763ED0(_t69, E02763F70(0xa2ce093f), 0x4fee74f4, _t101);
              										 *0x276e510 = _t46;
              									}
              									_t100 =  *_t46();
              									if( *0x276e284 == 0) {
              										 *0x276e284 = E02763ED0(_t69, E02763F70(0xa2ce093f), 0xafb2ca58, _t101);
              									}
              									_t49 = RtlAllocateHeap(_t100, 8, 0x220); // executed
              									_t99 = _t49;
              									if(_t99 == 0) {
              										goto L29;
              									} else {
              										_t42 = 0x203fc101;
              										while(1) {
              											L1:
              											goto L2;
              										}
              									}
              								}
              							}
              						}
              						goto L30;
              						L21:
              					} while (_t42 != 0x2f6b3b03);
              					return 1;
              					goto L30;
              				}
              			}



















              0x027631f2
              0x027631f6
              0x027631fc
              0x02763201
              0x02763206
              0x0276320a
              0x0276320a
              0x02763210
              0x02763210
              0x02763210
              0x02763210
              0x02763215
              0x00000000
              0x00000000
              0x0276321b
              0x027633d4
              0x027633dc
              0x027633f4
              0x027633f6
              0x027633f6
              0x0276340d
              0x0276340f
              0x02763415
              0x02763418
              0x0276341b
              0x02763420
              0x02763427
              0x02763221
              0x02763226
              0x0276330a
              0x00000000
              0x0276322c
              0x02763231
              0x027632c5
              0x027632cd
              0x027632e5
              0x027632e7
              0x027632e7
              0x027632f3
              0x027632f5
              0x0276320a
              0x0276320a
              0x00000000
              0x0276320a
              0x02763237
              0x0276323c
              0x00000000
              0x02763242
              0x02763242
              0x02763251
              0x02763265
              0x02763269
              0x0276326e
              0x02763276
              0x0276327e
              0x0276328c
              0x02763294
              0x02763298
              0x027632a0
              0x027632a8
              0x027632b0
              0x027632b8
              0x0276320a
              0x0276320a
              0x00000000
              0x0276320a
              0x0276320a
              0x0276323c
              0x02763231
              0x02763226
              0x00000000
              0x0276321b
              0x02763317
              0x027633c8
              0x00000000
              0x027633ca
              0x027633ca
              0x00000000
              0x027633ca
              0x0276331d
              0x02763322
              0x027633b8
              0x027633ba
              0x00000000
              0x02763328
              0x0276332d
              0x00000000
              0x0276332f
              0x0276332f
              0x02763336
              0x02763349
              0x0276334e
              0x0276334e
              0x02763355
              0x0276335e
              0x02763376
              0x02763376
              0x02763383
              0x02763385
              0x02763389
              0x00000000
              0x0276338f
              0x0276338f
              0x0276320a
              0x0276320a
              0x00000000
              0x0276320a
              0x0276320a
              0x02763389
              0x0276332d
              0x02763322
              0x00000000
              0x02763399
              0x02763399
              0x027633ae
              0x00000000
              0x027633ae

              APIs
              • RtlAllocateHeap.NTDLL(00000000,00000008,00000220), ref: 02763383
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID: 0G
              • API String ID: 1279760036-1982328895
              • Opcode ID: bfd84d2a5e1fc010d6bb751c9ae6459283ba2530a541d51d9dbc1cbf6b01f774
              • Instruction ID: e46138a4aed6327d5984a18e7f3d9aaee795dde20bfe49dfa5355672c5979ae7
              • Opcode Fuzzy Hash: bfd84d2a5e1fc010d6bb751c9ae6459283ba2530a541d51d9dbc1cbf6b01f774
              • Instruction Fuzzy Hash: CE51AE71B043418FCB68DE68948CA3F77E2ABD5B44F24495EE956C7250EB70C809CB92
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 215 2766df0-2766df7 216 2766e00-2766e05 215->216 217 2766e95-2766e9a 216->217 218 2766e0b 216->218 221 2766ee3-2766ee8 217->221 222 2766e9c 217->222 219 2766e7c-2766e90 call 2766d50 218->219 220 2766e0d-2766e12 218->220 219->216 226 2766e14 220->226 227 2766e5b-2766e60 220->227 223 2766f86-2766f8b 221->223 224 2766eee-2766f01 call 27635e0 221->224 228 2766e9e-2766ea3 222->228 229 2766ecd-2766ede call 2766d50 222->229 223->216 238 2766f91-2766f93 223->238 248 2766f03-2766f19 call 2763f70 call 2763ed0 224->248 249 2766f1e-2766f31 LoadLibraryW 224->249 234 2766e16-2766e1b 226->234 235 2766e45-2766e59 call 2766d50 226->235 227->223 231 2766e66-2766e7a call 2766d50 227->231 236 2766f94-2766f9f 228->236 237 2766ea9-2766eae 228->237 229->216 231->216 243 2766e2f-2766e43 call 2766d50 234->243 244 2766e1d-2766e22 234->244 235->216 237->223 245 2766eb4-2766ec8 call 2766d50 237->245 243->216 244->223 250 2766e28-2766e2d 244->250 245->216 248->249 254 2766f33-2766f49 call 2763f70 call 2763ed0 249->254 255 2766f4e-2766f59 249->255 250->216 254->255 264 2766f76-2766f81 255->264 265 2766f5b-2766f71 call 2763f70 call 2763ed0 255->265 264->216 265->264
              C-Code - Quality: 78%
              			E02766DF0() {
              				void* _t5;
              				struct HINSTANCE__* _t8;
              				intOrPtr* _t9;
              				intOrPtr* _t11;
              				struct HINSTANCE__* _t19;
              				intOrPtr* _t20;
              				intOrPtr* _t22;
              				void* _t28;
              				void* _t64;
              				void* _t67;
              				WCHAR* _t68;
              				WCHAR* _t70;
              				void* _t71;
              				void* _t72;
              				void* _t73;
              
              				_t5 = 0xe46a2c2;
              				goto L8;
              				do {
              					while(1) {
              						L8:
              						_t72 = _t5 - 0x2001edc0;
              						if(_t72 > 0) {
              							break;
              						}
              						if(_t72 == 0) {
              							L1();
              							_t5 = 0x1dbe20d6;
              							continue;
              						} else {
              							_t73 = _t5 - 0x109b17e8;
              							if(_t73 > 0) {
              								__eflags = _t5 - 0x1dbe20d6;
              								if(_t5 != 0x1dbe20d6) {
              									goto L34;
              								} else {
              									L1();
              									_t5 = 0x21c77cd5;
              									continue;
              								}
              							} else {
              								if(_t73 == 0) {
              									L1();
              									_t5 = 0x2001edc0;
              									continue;
              								} else {
              									if(_t5 == 0x90f50f2) {
              										L1();
              										_t5 = 0x109b17e8;
              										continue;
              									} else {
              										if(_t5 != 0xe46a2c2) {
              											goto L34;
              										} else {
              											_t5 = 0x363fcdb8;
              											continue;
              										}
              									}
              								}
              							}
              						}
              						L37:
              					}
              					__eflags = _t5 - 0x363fcdb8;
              					if(__eflags > 0) {
              						__eflags = _t5 - 0x3a08b342;
              						if(_t5 != 0x3a08b342) {
              							goto L34;
              						} else {
              							_t68 = E027635E0(0x276d8c0);
              							__eflags =  *0x276e660;
              							if( *0x276e660 == 0) {
              								 *0x276e660 = E02763ED0(_t28, E02763F70(0xa2ce093f), 0xd4f02753, _t71);
              							}
              							_t8 = LoadLibraryW(_t68); // executed
              							 *( *0x276e768 + 0x10) = _t8;
              							_t9 =  *0x276e510;
              							__eflags = _t9;
              							if(_t9 == 0) {
              								_t9 = E02763ED0(_t28, E02763F70(0xa2ce093f), 0x4fee74f4, _t71);
              								 *0x276e510 = _t9;
              							}
              							_t64 =  *_t9();
              							_t11 =  *0x276e728;
              							__eflags = _t11;
              							if(_t11 == 0) {
              								_t11 = E02763ED0(_t28, E02763F70(0xa2ce093f), 0x60520f89, _t71);
              								 *0x276e728 = _t11;
              							}
              							 *_t11(_t64, 0, _t68);
              							_t5 = 0x90f50f2;
              							goto L8;
              						}
              					} else {
              						if(__eflags == 0) {
              							L1();
              							_t5 = 0x32ebfde0;
              							goto L8;
              						} else {
              							__eflags = _t5 - 0x21c77cd5;
              							if(_t5 == 0x21c77cd5) {
              								_pop(_t65);
              								_pop(_t69);
              								_t70 = E027635E0(0x276d800);
              								__eflags =  *0x276e660;
              								if( *0x276e660 == 0) {
              									 *0x276e660 = E02763ED0(_t28, E02763F70(0xa2ce093f), 0xd4f02753, _t71);
              								}
              								_t19 = LoadLibraryW(_t70); // executed
              								 *( *0x276e768 + 0x24) = _t19;
              								_t20 =  *0x276e510;
              								__eflags = _t20;
              								if(_t20 == 0) {
              									_t20 = E02763ED0(_t28, E02763F70(0xa2ce093f), 0x4fee74f4, _t71);
              									 *0x276e510 = _t20;
              								}
              								_t67 =  *_t20();
              								_t22 =  *0x276e728;
              								__eflags = _t22;
              								if(_t22 == 0) {
              									_t22 = E02763ED0(_t28, E02763F70(0xa2ce093f), 0x60520f89, _t71);
              									 *0x276e728 = _t22;
              								}
              								return  *_t22(_t67, 0, _t70);
              							} else {
              								__eflags = _t5 - 0x32ebfde0;
              								if(_t5 != 0x32ebfde0) {
              									goto L34;
              								} else {
              									L1();
              									_t5 = 0x3a08b342;
              									goto L8;
              								}
              							}
              						}
              					}
              					goto L37;
              					L34:
              					__eflags = _t5 - 0x11587cd2;
              				} while (_t5 != 0x11587cd2);
              				return _t5;
              				goto L37;
              			}


















              0x02766df1
              0x02766df7
              0x02766e00
              0x02766e00
              0x02766e00
              0x02766e00
              0x02766e05
              0x00000000
              0x00000000
              0x02766e0b
              0x02766e86
              0x02766e8b
              0x00000000
              0x02766e0d
              0x02766e0d
              0x02766e12
              0x02766e5b
              0x02766e60
              0x00000000
              0x02766e66
              0x02766e70
              0x02766e75
              0x00000000
              0x02766e75
              0x02766e14
              0x02766e14
              0x02766e4f
              0x02766e54
              0x00000000
              0x02766e16
              0x02766e1b
              0x02766e39
              0x02766e3e
              0x00000000
              0x02766e1d
              0x02766e22
              0x00000000
              0x02766e28
              0x02766e28
              0x00000000
              0x02766e28
              0x02766e22
              0x02766e1b
              0x02766e14
              0x02766e12
              0x00000000
              0x02766e0b
              0x02766e95
              0x02766e9a
              0x02766ee3
              0x02766ee8
              0x00000000
              0x02766eee
              0x02766ef8
              0x02766eff
              0x02766f01
              0x02766f19
              0x02766f19
              0x02766f1f
              0x02766f27
              0x02766f2a
              0x02766f2f
              0x02766f31
              0x02766f44
              0x02766f49
              0x02766f49
              0x02766f50
              0x02766f52
              0x02766f57
              0x02766f59
              0x02766f6c
              0x02766f71
              0x02766f71
              0x02766f7a
              0x02766f7c
              0x00000000
              0x02766f7c
              0x02766e9c
              0x02766e9c
              0x02766ed4
              0x02766ed9
              0x00000000
              0x02766e9e
              0x02766e9e
              0x02766ea3
              0x02766f94
              0x02766f9f
              0x02766d59
              0x02766d60
              0x02766d62
              0x02766d7a
              0x02766d7a
              0x02766d80
              0x02766d88
              0x02766d8c
              0x02766d91
              0x02766d93
              0x02766da6
              0x02766dab
              0x02766dab
              0x02766db2
              0x02766db4
              0x02766db9
              0x02766dbb
              0x02766dce
              0x02766dd3
              0x02766dd3
              0x02766de0
              0x02766ea9
              0x02766ea9
              0x02766eae
              0x00000000
              0x02766eb4
              0x02766ebe
              0x02766ec3
              0x00000000
              0x02766ec3
              0x02766eae
              0x02766ea3
              0x02766e9c
              0x00000000
              0x02766f86
              0x02766f86
              0x02766f86
              0x02766f93
              0x00000000

              APIs
              • LoadLibraryW.KERNELBASE(00000000,?,0165F62F,0276693D), ref: 02766F1F
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 748482f9e532ab8b1a091a65682c987650ec416bd495843cc3dbeaccc0322763
              • Instruction ID: 13e83a2bb3f105937152ddce365127d5b69b56213878e71e020d59b0a37c3cc7
              • Opcode Fuzzy Hash: 748482f9e532ab8b1a091a65682c987650ec416bd495843cc3dbeaccc0322763
              • Instruction Fuzzy Hash: 4331D2347141014BEA3469EA946C77F01AFAB91644FA4486BED12EB744EF6CCC51CBE2
              Uniqueness

              Uniqueness Score: -1.00%

              Control-flow Graph

              C-Code - Quality: 75%
              			E02766D50(signed int __edx) {
              				struct HINSTANCE__* _t6;
              				intOrPtr* _t7;
              				intOrPtr* _t9;
              				void* _t15;
              				void* _t16;
              				signed int _t28;
              				void* _t29;
              				WCHAR* _t30;
              				void* _t31;
              
              				_t28 = __edx;
              				_t30 = E027635E0(_t16);
              				if( *0x276e660 == 0) {
              					 *0x276e660 = E02763ED0(_t15, E02763F70(0xa2ce093f), 0xd4f02753, _t31);
              				}
              				_t6 = LoadLibraryW(_t30); // executed
              				 *( *0x276e768 + 8 + _t28 * 4) = _t6;
              				_t7 =  *0x276e510;
              				if(_t7 == 0) {
              					_t7 = E02763ED0(_t15, E02763F70(0xa2ce093f), 0x4fee74f4, _t31);
              					 *0x276e510 = _t7;
              				}
              				_t29 =  *_t7();
              				_t9 =  *0x276e728;
              				if(_t9 == 0) {
              					_t9 = E02763ED0(_t15, E02763F70(0xa2ce093f), 0x60520f89, _t31);
              					 *0x276e728 = _t9;
              				}
              				return  *_t9(_t29, 0, _t30);
              			}












              0x02766d52
              0x02766d59
              0x02766d62
              0x02766d7a
              0x02766d7a
              0x02766d80
              0x02766d88
              0x02766d8c
              0x02766d93
              0x02766da6
              0x02766dab
              0x02766dab
              0x02766db2
              0x02766db4
              0x02766dbb
              0x02766dce
              0x02766dd3
              0x02766dd3
              0x02766de0

              APIs
              • LoadLibraryW.KERNELBASE(00000000,00000000,00000000,02766E8B), ref: 02766D80
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: cfb674214043de4019f5c97876673012548664d2ad277d6c329035522c0f486f
              • Instruction ID: 9c5bb615a4cb54327f0dba89c4c0ffc838afaad4994b0883bfe682fc39ac9385
              • Opcode Fuzzy Hash: cfb674214043de4019f5c97876673012548664d2ad277d6c329035522c0f486f
              • Instruction Fuzzy Hash: AB018434B402151BEB51BE79641CB7A26E79FD16947048869E915DB240FB74CC01CBB1
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 296 2767590-27676fc 297 2767704-276770a 296->297 298 2767710 297->298 299 27678bf-27678c5 297->299 302 2767716-276771c 298->302 303 2767835-276783c 298->303 300 27678c7-27678cd 299->300 301 27678dd-27678f0 call 27635e0 299->301 304 2767732-2767738 300->304 305 27678d3-27678d8 300->305 320 27678f2-2767908 call 2763f70 call 2763ed0 301->320 321 276790d-2767935 301->321 307 2767773-2767787 call 27635e0 302->307 308 276771e-2767724 302->308 309 276783e-2767854 call 2763f70 call 2763ed0 303->309 310 2767859-2767873 303->310 304->297 316 276773a-2767746 304->316 305->297 328 27677a7-27677e0 307->328 329 2767789-27677a1 call 2763f70 call 2763ed0 307->329 314 2767726-276772c 308->314 315 2767747-2767757 308->315 309->310 330 2767875-276788d call 2763f70 call 2763ed0 310->330 331 2767893-27678ba 310->331 314->304 324 276798a-2767991 314->324 317 2767769-2767771 315->317 318 2767759 315->318 317->297 325 2767760-2767767 318->325 320->321 346 2767937-276794d call 2763f70 call 2763ed0 321->346 347 2767952-276795d 321->347 332 2767993-27679a9 call 2763f70 call 2763ed0 324->332 333 27679ae-27679c0 324->333 325->317 325->325 353 27677e2-27677f8 call 2763f70 call 2763ed0 328->353 354 27677fd-276780a 328->354 329->328 330->331 331->297 332->333 346->347 364 276795f-2767975 call 2763f70 call 2763ed0 347->364 365 276797a-2767985 347->365 353->354 370 2767827-2767830 354->370 371 276780c-2767822 call 2763f70 call 2763ed0 354->371 364->365 365->297 370->304 371->370
              C-Code - Quality: 59%
              			E02767590() {
              				char _v520;
              				char _v524;
              				intOrPtr _v528;
              				signed int _v532;
              				signed int _v536;
              				signed int _v540;
              				signed int _v544;
              				signed int _v548;
              				signed int _v552;
              				intOrPtr _v564;
              				void* __ebx;
              				void* __ebp;
              				intOrPtr* _t126;
              				intOrPtr* _t128;
              				intOrPtr* _t130;
              				intOrPtr* _t132;
              				signed int _t133;
              				signed int _t137;
              				void* _t138;
              				intOrPtr* _t145;
              				intOrPtr* _t147;
              				intOrPtr* _t150;
              				void* _t164;
              				intOrPtr _t215;
              				intOrPtr* _t217;
              				intOrPtr* _t219;
              				intOrPtr _t227;
              				short* _t229;
              				signed int _t230;
              				void* _t231;
              				void* _t233;
              				signed int* _t234;
              				void* _t236;
              
              				_t234 =  &_v552;
              				_v552 = 0x2b72;
              				_v552 = _v552 >> 0xb;
              				_t167 = _v552;
              				_t164 = 0;
              				_v552 = (_v552 - (0x38138139 * _t167 >> 0x20) >> 1) + (0x38138139 * _t167 >> 0x20) >> 6;
              				_t227 = _v528;
              				_t230 = 0x30d6f711;
              				_v552 = _v552 * 0x2c;
              				_v552 = _v552 | 0xd7ebceff;
              				_v552 = _v552 * 0x49;
              				_v552 = 0x76b981db * _v552 >> 0x20 >> 5;
              				_v552 = _v552 + 0x427a;
              				_v552 = _v552 ^ 0x821ed6fb;
              				_v540 = 0x2d6a;
              				_v540 = _v540 << 6;
              				_v540 = _v540 >> 0xa;
              				_v540 = _v540 | 0x6df80007;
              				_v540 = _v540 >> 1;
              				_v540 = _v540 ^ 0x36fc016b;
              				_v532 = 0x8de6;
              				_v532 = _v532 * 0x75;
              				_v532 = _v532 ^ 0x0040da1e;
              				_v548 = 0x2f30;
              				_v548 = _v548 << 2;
              				_v548 = _v548 + 0xb5af;
              				_v548 = 0xae4c415d * _v548 >> 0x20 >> 5;
              				_v548 = _v548 << 3;
              				_v548 = _v548 >> 0xd;
              				_v548 = 0x5397829d * _v548 >> 0x20 >> 5;
              				_v548 = _v548 ^ 0x00000002;
              				_v544 = 0x6deb;
              				_v544 = _v544 ^ 0x08612ea8;
              				_v544 = (_v544 - (0x4104105 * _v544 >> 0x20) >> 1) + (0x4104105 * _v544 >> 0x20) >> 6;
              				_v544 = _v544 | 0x4e35d8be;
              				_v544 = _v544 * 0x7e;
              				_v544 = _v544 + 0xffff1311;
              				_v544 = _v544 + 0xffff14d6;
              				_v544 = _v544 ^ 0x7e81c9e9;
              				_v536 = 0x5749;
              				_v536 = _v536 * 0x2d;
              				_v536 = _v536 | 0x99ca3247;
              				_v536 = _v536 ^ 0x8c658436;
              				_v536 = _v536 ^ 0x15aaf3e0;
              				goto L1;
              				do {
              					while(1) {
              						L1:
              						_t236 = _t230 - 0x1aa406d8;
              						if(_t236 > 0) {
              							break;
              						}
              						if(_t236 == 0) {
              							_t132 =  *0x276e194;
              							if(_t132 == 0) {
              								_t132 = E02763ED0(_t164, E02763F70(0xa2ce093f), 0x14f35236, _t233);
              								 *0x276e194 = _t132;
              							}
              							_t133 =  *_t132( &_v520);
              							_t217 =  *0x276e2f4;
              							_v532 = 2 + _t133 * 2;
              							if(_t217 == 0) {
              								_t217 = E02763ED0(_t164, E02763F70(0x1f907751), 0x5304cbf0, _t233);
              								 *0x276e2f4 = _t217;
              							}
              							_t137 =  *_t217(_v528, _t227, _v548, _v540,  &_v524, _v532);
              							_t230 = 0xf7b9360;
              							asm("sbb ebx, ebx");
              							_t164 =  ~_t137 + 1;
              							continue;
              						} else {
              							if(_t230 == 0x2bda320) {
              								_t138 = E027635E0(0x276d9c0);
              								_t219 =  *0x276e51c;
              								_t233 = _t138;
              								if(_t219 == 0) {
              									_t219 = E02763ED0(_t164, E02763F70(0x1f907751), 0x3c3d6824, _t233);
              									 *0x276e51c = _t219;
              								}
              								 *_t219(_v552, _t233, _v540, 0, _v532, _v548, 0,  &_v524, 0);
              								asm("sbb esi, esi");
              								_t145 =  *0x276e510;
              								_t230 = (_t230 & 0x04cac4d3) + 0x1aa406d8;
              								if(_t145 == 0) {
              									_t145 = E02763ED0(_t164, E02763F70(0xa2ce093f), 0x4fee74f4, _t233);
              									 *0x276e510 = _t145;
              								}
              								_v564 =  *_t145();
              								_t147 =  *0x276e728;
              								if(_t147 == 0) {
              									_t147 = E02763ED0(_t164, E02763F70(0xa2ce093f), 0x60520f89, _t233);
              									 *0x276e728 = _t147;
              								}
              								 *_t147(_v564, 0, _t233);
              								goto L6;
              							} else {
              								if(_t230 == 0x7da1c92) {
              									_t229 =  *0x276e76c + 0x22c;
              									while( *_t229 != 0x5c) {
              										_t229 = _t229 + 2;
              									}
              									_t227 = _t229 + 2;
              									_t230 = 0x2bda320;
              									continue;
              								} else {
              									if(_t230 == 0xf7b9360) {
              										_t150 =  *0x276df0c; // 0x0
              										if(_t150 == 0) {
              											_t150 = E02763ED0(_t164, E02763F70(0x1f907751), 0x67ed786a, _t233);
              											 *0x276df0c = _t150;
              										}
              										 *_t150(_v524);
              										return _t164;
              									} else {
              										goto L6;
              									}
              								}
              							}
              						}
              						L37:
              					}
              					if(_t230 == 0x28c933eb) {
              						_t231 = E027635E0(0x276d940);
              						_t126 =  *0x276dfa8;
              						if(_t126 == 0) {
              							_t126 = E02763ED0(_t164, E02763F70(0xff9ecf59), 0x8a3377c7, _t233);
              							 *0x276dfa8 = _t126;
              						}
              						_t215 =  *0x276e76c;
              						 *_t126( &_v520, 0x104, _t231, _t215 + 4, _t215 + 0x22c);
              						_t128 =  *0x276e510;
              						_t234 =  &(_t234[5]);
              						if(_t128 == 0) {
              							_t128 = E02763ED0(_t164, E02763F70(0xa2ce093f), 0x4fee74f4, _t233);
              							 *0x276e510 = _t128;
              						}
              						_t233 =  *_t128();
              						_t130 =  *0x276e728;
              						if(_t130 == 0) {
              							_t130 = E02763ED0(_t164, E02763F70(0xa2ce093f), 0x60520f89, _t233);
              							 *0x276e728 = _t130;
              						}
              						 *_t130(_t233, 0, _t231);
              						_t230 = 0x7da1c92;
              						goto L1;
              					} else {
              						if(_t230 != 0x30d6f711) {
              							goto L6;
              						} else {
              							_t230 = 0x28c933eb;
              							goto L1;
              						}
              					}
              					goto L37;
              					L6:
              				} while (_t230 != 0x1f6ecbab);
              				return _t164;
              				goto L37;
              			}




































              0x02767590
              0x02767596
              0x027675a2
              0x027675a6
              0x027675ae
              0x027675b7
              0x027675c3
              0x027675c7
              0x027675cc
              0x027675d0
              0x027675dd
              0x027675ef
              0x027675f3
              0x027675fb
              0x02767603
              0x0276760b
              0x02767610
              0x02767615
              0x0276761d
              0x02767621
              0x02767629
              0x02767636
              0x0276763f
              0x02767647
              0x0276764f
              0x02767654
              0x0276766a
              0x0276766e
              0x02767673
              0x02767686
              0x0276768a
              0x0276768f
              0x02767697
              0x027676ae
              0x027676b2
              0x027676bf
              0x027676c3
              0x027676cb
              0x027676d3
              0x027676db
              0x027676e8
              0x027676ec
              0x027676f4
              0x027676fc
              0x027676fc
              0x02767704
              0x02767704
              0x02767704
              0x02767704
              0x0276770a
              0x00000000
              0x00000000
              0x02767710
              0x02767835
              0x0276783c
              0x0276784f
              0x02767854
              0x02767854
              0x0276785e
              0x02767860
              0x0276786d
              0x02767873
              0x0276788b
              0x0276788d
              0x0276788d
              0x027678ac
              0x027678b0
              0x027678b7
              0x027678b9
              0x00000000
              0x02767716
              0x0276771c
              0x02767778
              0x0276777d
              0x02767783
              0x02767787
              0x0276779f
              0x027677a1
              0x027677a1
              0x027677c7
              0x027677cb
              0x027677cd
              0x027677d8
              0x027677e0
              0x027677f3
              0x027677f8
              0x027677f8
              0x027677ff
              0x02767803
              0x0276780a
              0x0276781d
              0x02767822
              0x02767822
              0x0276782e
              0x00000000
              0x0276771e
              0x02767724
              0x0276774d
              0x02767757
              0x02767760
              0x02767763
              0x02767769
              0x0276776c
              0x00000000
              0x02767726
              0x0276772c
              0x0276798a
              0x02767991
              0x027679a4
              0x027679a9
              0x027679a9
              0x027679b2
              0x027679c0
              0x00000000
              0x00000000
              0x00000000
              0x0276772c
              0x02767724
              0x0276771c
              0x00000000
              0x02767710
              0x027678c5
              0x027678e7
              0x027678e9
              0x027678f0
              0x02767903
              0x02767908
              0x02767908
              0x0276790d
              0x02767929
              0x0276792b
              0x02767930
              0x02767935
              0x02767948
              0x0276794d
              0x0276794d
              0x02767954
              0x02767956
              0x0276795d
              0x02767970
              0x02767975
              0x02767975
              0x0276797e
              0x02767980
              0x00000000
              0x027678c7
              0x027678cd
              0x00000000
              0x027678d3
              0x027678d3
              0x00000000
              0x027678d3
              0x027678cd
              0x00000000
              0x02767732
              0x02767732
              0x02767746
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: $h=<$0/$IW$j-$jxg$zB$m
              • API String ID: 0-322337970
              • Opcode ID: beb2cc04637eb566536f923bf63ac0d2403d45d448c08c0ea1cc319b987a0613
              • Instruction ID: 15ac6393943dec554df3100125fbd9f82131a756eb3572a9e85186548ce237ea
              • Opcode Fuzzy Hash: beb2cc04637eb566536f923bf63ac0d2403d45d448c08c0ea1cc319b987a0613
              • Instruction Fuzzy Hash: 31B1C071A043028FC718EF68D84DA6BB7E6EBD4648F04492DF9959B290E774DD04CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 58%
              			E02768180(void* __ebx, void* __ebp) {
              				char _v524;
              				char _v564;
              				char _v572;
              				intOrPtr _v576;
              				signed int _v580;
              				signed int _v584;
              				signed int _v588;
              				signed int _v592;
              				intOrPtr _v596;
              				intOrPtr* _t97;
              				intOrPtr* _t100;
              				intOrPtr* _t111;
              				intOrPtr* _t113;
              				void* _t121;
              				void* _t122;
              				void* _t123;
              				intOrPtr* _t143;
              				signed int _t164;
              				void* _t166;
              				signed int _t167;
              				signed int _t168;
              				intOrPtr _t169;
              				void* _t171;
              				void* _t174;
              
              				_t171 = __ebp;
              				_t123 = __ebx;
              				_v592 = 0x6dd;
              				_v592 = _v592 ^ 0xce456066;
              				_v592 = _v592 + 0xffffa445;
              				_v592 = _v592 + 0xffff7996;
              				_v592 = _v592 << 7;
              				_v592 = _v592 >> 0xd;
              				_v592 = (_v592 - (0x2c9fb4d9 * _v592 >> 0x20) >> 1) + (0x2c9fb4d9 * _v592 >> 0x20) >> 6;
              				_v592 = _v592 + 0xffff3a7d;
              				_v592 = 0xcccccccd * _v592 >> 0x20 >> 4;
              				_v592 = _v592 ^ 0x0cccc38c;
              				_v580 = 0x8cf5;
              				_v580 = _v580 << 5;
              				_v580 = _v580 ^ 0x00119ea1;
              				_v588 = 0x90f6;
              				_v588 = _v588 << 0xd;
              				_v588 = _v588 + 0x3ce9;
              				_v588 = _v588 | 0x0c7838b4;
              				_v588 = (_v588 - (0x86186187 * _v588 >> 0x20) >> 1) + (0x86186187 * _v588 >> 0x20) >> 4;
              				_v588 = _v588 | 0x532dd62d;
              				_v588 = _v588 + 0xfffff7fd;
              				_v588 = _v588 << 4;
              				_v588 = _v588 ^ 0x37fceec3;
              				_v584 = 0x2b6c;
              				_t135 = _v584;
              				_t168 = 0x3595795e;
              				_v584 = (_v584 - (0x2f684bdb * _t135 >> 0x20) >> 1) + (0x2f684bdb * _t135 >> 0x20) >> 4;
              				_t167 = _v580;
              				_v584 = _v584 + _v584 * 8;
              				_v584 = _v584 ^ 0x00000e73;
              				goto L1;
              				do {
              					while(1) {
              						L1:
              						_t174 = _t168 - 0x2b778328;
              						if(_t174 > 0) {
              							break;
              						}
              						if(_t174 == 0) {
              							_t97 =  *0x276e5fc;
              							__eflags = _t97;
              							if(_t97 == 0) {
              								_t122 = E02763F70(0xa2ce093f);
              								_t164 = 0xbb4ed8bd;
              								_t97 = E02763ED0(_t123, _t122, 0xbb4ed8bd, _t171);
              								 *0x276e5fc = _t97;
              							}
              							 *_t97(_t167, 0,  &_v564, 0x28);
              							asm("sbb esi, esi");
              							_t100 =  *0x276e538;
              							_t168 = (_t168 & 0x1880e967) + 0x3afc61c;
              							__eflags = _t100;
              							if(_t100 == 0) {
              								_t121 = E02763F70(0xa2ce093f);
              								_t164 = 0x109cdf51;
              								_t100 = E02763ED0(_t123, _t121, 0x109cdf51, _t171);
              								 *0x276e538 = _t100;
              							}
              							 *_t100(_t167);
              							goto L23;
              						} else {
              							if(_t168 == 0xee3cd25) {
              								_t143 =  *0x276e14c;
              								__eflags = _t143;
              								if(_t143 == 0) {
              									_t143 = E02763ED0(_t123, E02763F70(0xa2ce093f), 0x862fde4e, _t171);
              									 *0x276e14c = _t143;
              								}
              								_t167 =  *_t143( &_v524, _v592, _v580, 0, _v588, _v584, 0);
              								__eflags = _t167 - 0xffffffff;
              								if(_t167 == 0xffffffff) {
              									goto L24;
              								} else {
              									_t168 = 0x2b778328;
              									continue;
              								}
              							} else {
              								if(_t168 == 0x1645b90c) {
              									_t111 =  *0x276e4b4;
              									__eflags = _t111;
              									if(_t111 == 0) {
              										_t111 = E02763ED0(_t123, E02763F70(0xa2ce093f), 0x4d8b137f, _t171);
              										 *0x276e4b4 = _t111;
              									}
              									 *_t111(0,  &_v524, 0x104);
              									_t168 = 0xee3cd25;
              									continue;
              								} else {
              									if(_t168 != 0x1c30af83) {
              										goto L23;
              									} else {
              										_t113 =  *0x276e230;
              										if(_t113 == 0) {
              											_t113 = E02763ED0(_t123, E02763F70(0xa2ce093f), 0x926b75fc, _t171);
              											 *0x276e230 = _t113;
              										}
              										 *_t113( &_v572);
              										_t168 = 0x35d9b7d0;
              										continue;
              									}
              								}
              							}
              						}
              						L30:
              					}
              					__eflags = _t168 - 0x3595795e;
              					if(_t168 == 0x3595795e) {
              						_t168 = 0x1645b90c;
              						goto L1;
              					} else {
              						__eflags = _t168 - 0x35d9b7d0;
              						if(_t168 == 0x35d9b7d0) {
              							_v580 = 0xa8c00;
              							_v576 = 0;
              							_v596 = E0276B450(_v580, _v576, 0x989680, 0);
              							_v592 = _t164;
              							_t166 = _v588 - _v564;
              							_t169 = _v596;
              							asm("sbb ecx, [esp+0x3c]");
              							__eflags = _v584 - _v592;
              							if(__eflags < 0) {
              								break;
              							} else {
              								if(__eflags > 0) {
              									L29:
              									return 1;
              								} else {
              									__eflags = _t166 - _t169;
              									if(_t166 < _t169) {
              										break;
              									} else {
              										goto L29;
              									}
              								}
              							}
              						} else {
              							goto L23;
              						}
              					}
              					goto L30;
              					L23:
              					__eflags = _t168 - 0x3afc61c;
              				} while (_t168 != 0x3afc61c);
              				L24:
              				__eflags = 0;
              				return 0;
              				goto L30;
              			}



























              0x02768180
              0x02768180
              0x02768188
              0x02768195
              0x0276819d
              0x027681a5
              0x027681ad
              0x027681b2
              0x027681cb
              0x027681cf
              0x027681e5
              0x027681e9
              0x027681f1
              0x027681f9
              0x027681fe
              0x02768206
              0x0276820e
              0x02768213
              0x0276821b
              0x02768237
              0x0276823b
              0x02768243
              0x0276824b
              0x02768250
              0x02768258
              0x02768260
              0x02768268
              0x02768274
              0x0276827c
              0x02768283
              0x02768287
              0x02768287
              0x02768290
              0x02768290
              0x02768290
              0x02768290
              0x02768296
              0x00000000
              0x00000000
              0x0276829c
              0x0276838c
              0x02768391
              0x02768393
              0x0276839a
              0x0276839f
              0x027683a6
              0x027683ab
              0x027683ab
              0x027683ba
              0x027683be
              0x027683c0
              0x027683cb
              0x027683d1
              0x027683d3
              0x027683da
              0x027683df
              0x027683e6
              0x027683eb
              0x027683eb
              0x027683f1
              0x00000000
              0x027682a2
              0x027682a8
              0x02768330
              0x02768336
              0x02768338
              0x02768350
              0x02768352
              0x02768352
              0x02768377
              0x02768379
              0x0276837c
              0x00000000
              0x02768382
              0x02768382
              0x00000000
              0x02768382
              0x027682ae
              0x027682b4
              0x027682f4
              0x027682f9
              0x027682fb
              0x0276830e
              0x02768313
              0x02768313
              0x02768324
              0x02768326
              0x00000000
              0x027682b6
              0x027682bc
              0x00000000
              0x027682c2
              0x027682c2
              0x027682c9
              0x027682dc
              0x027682e1
              0x027682e1
              0x027682eb
              0x027682ed
              0x00000000
              0x027682ed
              0x027682bc
              0x027682b4
              0x027682a8
              0x00000000
              0x0276829c
              0x027683f5
              0x027683fb
              0x0276841c
              0x00000000
              0x027683fd
              0x027683fd
              0x02768403
              0x02768428
              0x02768430
              0x02768450
              0x02768454
              0x0276845c
              0x02768460
              0x02768464
              0x0276846c
              0x0276846e
              0x00000000
              0x02768470
              0x02768470
              0x02768477
              0x02768483
              0x02768472
              0x02768472
              0x02768474
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x02768474
              0x02768470
              0x00000000
              0x00000000
              0x00000000
              0x02768403
              0x00000000
              0x02768405
              0x02768405
              0x02768405
              0x02768411
              0x02768411
              0x0276841b
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: l+$<
              • API String ID: 0-3058352623
              • Opcode ID: a22796de955c8c485ec0b2040de42aa8f7592e21321a1245dadaab73a744ad97
              • Instruction ID: eb637ddec5f40202d87b11f3b66025f55312def75e5c0d49777c72d115b03220
              • Opcode Fuzzy Hash: a22796de955c8c485ec0b2040de42aa8f7592e21321a1245dadaab73a744ad97
              • Instruction Fuzzy Hash: 63716D71A083019FD718DE69C85CA3FB7E1AB84754F04891DF9A6AB290D774D908CF93
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 66%
              			E02761C70(void* __ecx) {
              				char _v4;
              				signed int _v8;
              				signed int _v12;
              				void* __ebx;
              				void* __ebp;
              				intOrPtr* _t95;
              				signed int _t96;
              				intOrPtr* _t103;
              				signed int _t104;
              				intOrPtr* _t106;
              				int _t112;
              				void* _t117;
              				signed int _t119;
              				signed int _t131;
              				void* _t152;
              				void* _t156;
              				void* _t157;
              				signed int _t159;
              				signed int* _t160;
              
              				_t160 =  &_v12;
              				_v8 = 0x7f87;
              				_t156 = __ecx;
              				_v8 = (_v8 - (0x24924925 * _v8 >> 0x20) >> 1) + (0x24924925 * _v8 >> 0x20) >> 4;
              				_v8 = _v8 + 0xf09b;
              				_v8 = _v8 + 0xffff8e9d;
              				_v8 = _v8 ^ 0x000083cd;
              				_v12 = 0xc208;
              				_v12 = _v12 * 0x7c;
              				_v12 = _v12 << 2;
              				_v12 = _v12 + 0xa194;
              				_v12 = _v12 + 0x3b22;
              				_v12 = _v12 >> 0xd;
              				_v12 = _v12 * 0x66;
              				_v12 = _v12 | 0x724bec35;
              				_t29 =  &_v12; // 0x724bec35
              				_v12 =  *_t29 * 0x54;
              				_v12 = _v12 ^ 0x823f0074;
              				_t95 =  *0x276dcb8; // 0x0
              				if(_t95 == 0) {
              					_t95 = E02763ED0(_t117, E02763F70(0xa2ce093f), 0xe8ade68d, _t157);
              					 *0x276dcb8 = _t95;
              				}
              				_t96 =  *_t95();
              				_v12 = 0x66f6;
              				_t159 = _v8 + _t96 % _v12;
              				_v12 = _v12 * 0x3d;
              				_v12 = _v12 ^ 0x4c81d4a3;
              				_v12 = _v12 + 0x134f;
              				_v12 = _v12 << 0xc;
              				_v12 = _v12 >> 3;
              				_v12 = _v12 | 0xe0580857;
              				_v12 = _v12 + 0xffff8492;
              				_v12 = _v12 * 0x61;
              				_v12 = _v12 ^ 0x06597441;
              				_v8 = 0xe21a;
              				_v8 = _v8 << 0xe;
              				_v8 = _v8 * 0x6b;
              				_v8 = _v8 + 0xdc;
              				_v8 = 0xb21642c9 * _v8 >> 0x20 >> 6;
              				_v8 = _v8 + 0xffff4197;
              				_v8 = _v8 ^ 0x01bd13bf;
              				_t103 =  *0x276dcb8; // 0x0
              				if(_t103 == 0) {
              					_t103 = E02763ED0(_t117, E02763F70(0xa2ce093f), 0xe8ade68d, _t159);
              					 *0x276dcb8 = _t103;
              				}
              				_t104 =  *_t103();
              				_t106 =  *0x276dcb8; // 0x0
              				_t119 = _v12 + _t104 % _v8;
              				if(_t106 == 0) {
              					_t106 = E02763ED0(_t119, E02763F70(0xa2ce093f), 0xe8ade68d, _t159);
              					 *0x276dcb8 = _t106;
              				}
              				_v4 =  *_t106();
              				if(_t159 != 0) {
              					_t152 = _t156;
              					_t131 = _t159 >> 1;
              					_t156 = _t156 + _t159 * 2;
              					_t112 = memset(_t152, 0x2d002d, _t131 << 2);
              					asm("adc ecx, ecx");
              					memset(_t152 + _t131, _t112, 0);
              					_t160 =  &(_t160[6]);
              				}
              				E02764EC0(_t156, _t119,  &_v4);
              				 *((short*)(_t156 + _t119 * 2)) = 0;
              				return 0;
              			}






















              0x02761c70
              0x02761c73
              0x02761c83
              0x02761c94
              0x02761c98
              0x02761ca0
              0x02761ca8
              0x02761cb0
              0x02761cbd
              0x02761cc8
              0x02761ccc
              0x02761cd4
              0x02761cdc
              0x02761ce6
              0x02761cea
              0x02761cf2
              0x02761cf7
              0x02761cfb
              0x02761d03
              0x02761d0a
              0x02761d1d
              0x02761d22
              0x02761d22
              0x02761d27
              0x02761d35
              0x02761d42
              0x02761d44
              0x02761d48
              0x02761d50
              0x02761d58
              0x02761d5d
              0x02761d62
              0x02761d6a
              0x02761d77
              0x02761d7b
              0x02761d83
              0x02761d8b
              0x02761d95
              0x02761d9e
              0x02761daf
              0x02761db3
              0x02761dbb
              0x02761dc3
              0x02761dca
              0x02761ddd
              0x02761de2
              0x02761de2
              0x02761de7
              0x02761df5
              0x02761dfa
              0x02761dfe
              0x02761e11
              0x02761e16
              0x02761e16
              0x02761e1d
              0x02761e23
              0x02761e28
              0x02761e2a
              0x02761e2c
              0x02761e34
              0x02761e36
              0x02761e38
              0x02761e38
              0x02761e3b
              0x02761e45
              0x02761e4f
              0x02761e59

              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 5Kr
              • API String ID: 0-1793118946
              • Opcode ID: 33aea7327ff3d9bc526804a5cafb0724759551c0a871e1a80ab2c4603959970c
              • Instruction ID: ba633acd4b6e0f63bfc56178db2d1bf9b271481caa484e10f161ae3d2234453a
              • Opcode Fuzzy Hash: 33aea7327ff3d9bc526804a5cafb0724759551c0a871e1a80ab2c4603959970c
              • Instruction Fuzzy Hash: 165138706083469FD348DF69D45952BB7E6AFC4324F00CD2DE4AA87290E7B8D918CF52
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E02763F70(intOrPtr __ecx) {
              				intOrPtr _v4;
              				intOrPtr* _v8;
              				signed int _v12;
              				signed int _v16;
              				signed int _t67;
              				intOrPtr* _t68;
              				intOrPtr* _t71;
              				signed short* _t74;
              				signed int _t79;
              				signed int _t84;
              				signed int _t85;
              
              				_v4 = __ecx;
              				_t71 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
              				_v8 = _t71;
              				_t68 =  *_t71;
              				if(_t68 == _t71) {
              					L10:
              					return 0;
              				} else {
              					do {
              						_t74 =  *(_t68 + 0x30);
              						_v16 = 0x64bc;
              						_v16 = _v16 + 0xffff85b7;
              						_v16 = _v16 ^ 0xe5a68224;
              						_v16 = _v16 << 6;
              						_v16 = _v16 | 0x7fa52244;
              						_v16 = _v16 + 0x7bfd;
              						_v16 = _v16 << 5;
              						_v16 = _v16 + 0xba34;
              						_v16 = _v16 ^ 0xfff73254;
              						_v12 = 0x1a8a;
              						_v12 = _v12 + 0xffffd02b;
              						_v12 = _v12 << 0xe;
              						_v12 = _v12 ^ 0xfaad4006;
              						_v12 = 0xb8f9;
              						_v12 = _v12 ^ 0x3f0625fa;
              						_v12 = _v12 ^ 0x3f069d13;
              						if( *_t74 != 0) {
              							do {
              								_t85 = _v16;
              								_v12 = 0x1a8a;
              								_v12 = _v12 + 0xffffd02b;
              								_v12 = _v12 << 0xe;
              								_v12 = _v12 ^ 0xfaad4006;
              								_v12 = 0xb8f9;
              								_v12 = _v12 ^ 0x3f0625fa;
              								_v12 = _v12 ^ 0x3f069d13;
              								_t84 = _v16 << (_v12 & 0x000000ff);
              								_t67 =  *_t74 & 0x0000ffff;
              								_t79 = _v16 << (_v12 & 0x000000ff);
              								if(_t67 >= 0x41 && _t67 <= 0x5a) {
              									_t67 = _t67 + 0x20;
              								}
              								_v16 = _t67;
              								_t74 =  &(_t74[1]);
              								_v16 = _v16 + _t84;
              								_v16 = _v16 + _t79;
              								_v16 = _v16 - _t85;
              							} while ( *_t74 != 0);
              							_t71 = _v8;
              						}
              						if((_v16 ^ 0x2db0ef4d) == _v4) {
              							return  *((intOrPtr*)(_t68 + 0x18));
              						} else {
              							goto L9;
              						}
              						goto L12;
              						L9:
              						_t68 =  *_t68;
              					} while (_t68 != _t71);
              					goto L10;
              				}
              				L12:
              			}














              0x02763f79
              0x02763f82
              0x02763f87
              0x02763f8b
              0x02763f8f
              0x027640b5
              0x027640be
              0x02763f95
              0x02763f95
              0x02763f95
              0x02763f98
              0x02763fa0
              0x02763fa8
              0x02763fb0
              0x02763fb5
              0x02763fbd
              0x02763fc5
              0x02763fca
              0x02763fd2
              0x02763fda
              0x02763fe2
              0x02763fea
              0x02763fef
              0x02763ff7
              0x02763fff
              0x02764007
              0x02764013
              0x02764020
              0x02764020
              0x02764024
              0x0276402c
              0x02764034
              0x02764039
              0x0276404a
              0x02764052
              0x0276405a
              0x02764062
              0x0276406d
              0x02764070
              0x02764075
              0x0276407c
              0x0276407c
              0x0276407f
              0x02764083
              0x02764086
              0x0276408a
              0x0276408e
              0x02764092
              0x02764098
              0x02764098
              0x027640a9
              0x027640c9
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x027640ab
              0x027640ab
              0x027640ad
              0x00000000
              0x02763f95
              0x00000000

              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 22aa781ee7178aeed58aad03df9c59772782321b8b8fbd99feb15a88168a4f89
              • Instruction ID: 24894c886efb03b75775b218fb612d9e9dec23f2940dba3cb82f2c5e920f1ed8
              • Opcode Fuzzy Hash: 22aa781ee7178aeed58aad03df9c59772782321b8b8fbd99feb15a88168a4f89
              • Instruction Fuzzy Hash: 113143725093528BD364CF24E59816BFBE0FF80B18F000D9DE8A196250D3B8DA4CCBA3
              Uniqueness

              Uniqueness Score: -1.00%

              C-Code - Quality: 100%
              			E02764E10() {
              
              				return  *[fs:0x30];
              			}



              0x02764e16

              Memory Dump Source
              • Source File: 00000000.00000002.215311677.0000000002761000.00000020.00020000.sdmp, Offset: 02760000, based on PE: true
              • Associated: 00000000.00000002.215305838.0000000002760000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215323266.000000000276D000.00000004.00020000.sdmp Download File
              • Associated: 00000000.00000002.215328752.0000000002770000.00000002.00020000.sdmp Download File
              • Associated: 00000000.00000002.215365326.00000000027B3000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_2760000_2760000.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
              • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
              • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
              • Instruction Fuzzy Hash:
              Uniqueness

              Uniqueness Score: -1.00%